CVE-2025-10607 is a medium-severity information disclosure vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability resides in an unspecified function within the /module/Avaliacao/diarioApi file. This flaw allows an unauthenticated remote attacker to manipulate the vulnerable function to disclose sensitive information. The CVSS 4.0 vector indicates that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:L indicates low privileges, but the description states no authentication needed, so this may be a minor discrepancy), and no user interaction (UI:N). The vulnerability impacts confidentiality (VC:L) but not integrity or availability. The scope is unchanged, meaning the vulnerability affects only the vulnerable component. Although no known exploits are currently observed in the wild, a public exploit has been disclosed, increasing the risk of exploitation. The vulnerability likely exposes sensitive data stored or processed by the i-Educar platform, which is an educational management system used primarily in Brazil but may have deployments elsewhere. The lack of detailed technical information about the exact nature of the information disclosed limits precise impact assessment, but information disclosure vulnerabilities can lead to leakage of personally identifiable information (PII), student records, or system configuration details that could facilitate further attacks.

For European organizations, the impact depends on the adoption of Portabilis i-Educar within educational institutions or related entities. If deployed, the vulnerability could lead to unauthorized disclosure of sensitive student or staff data, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. The exposure of internal system information could also aid attackers in crafting more targeted attacks, increasing the risk of subsequent compromise. The medium severity rating suggests a moderate risk, but the presence of a public exploit increases urgency. Educational institutions are often targeted due to the sensitive nature of their data and sometimes weaker cybersecurity postures. Therefore, European schools or educational bodies using i-Educar could face confidentiality breaches, undermining trust and compliance with data protection laws.

Given the absence of an official patch link, organizations should immediately assess their use of i-Educar and the affected versions (2.0 through 2.10). Mitigation steps include: 1) Restricting external access to the /module/Avaliacao/diarioApi endpoint via network controls such as firewalls or web application firewalls (WAFs) to limit exposure to trusted internal networks only. 2) Implementing strict access controls and monitoring on the vulnerable module to detect unusual access patterns. 3) Applying virtual patching techniques using WAF rules to block known exploit patterns once exploit details are analyzed. 4) Engaging with Portabilis for official patches or updates and planning prompt upgrade once available. 5) Conducting thorough audits of logs and data access to identify any potential exploitation attempts. 6) Educating IT staff and users about the vulnerability and encouraging vigilance for suspicious activity. These targeted mitigations go beyond generic advice by focusing on network-level restrictions and proactive monitoring tailored to the specific vulnerable component.