CVE-2025-10608 is a medium-severity vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability arises from improper access controls in an unspecified function related to the /enrollment-history/ endpoint. This flaw allows an unauthenticated remote attacker with low privileges to manipulate the system and bypass intended access restrictions. The vulnerability does not require user interaction and can be exploited over the network, increasing its risk profile. The CVSS 4.0 base score is 5.3, reflecting a moderate impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required, but with some limited scope and impact. While no known exploits are currently in the wild, a public exploit is available, which could facilitate exploitation by malicious actors. The vulnerability could allow unauthorized access to sensitive enrollment history data or manipulation of enrollment records, potentially leading to data leakage, unauthorized data modification, or disruption of educational administrative processes. Given the nature of i-Educar as an education management system, the exposure of student and institutional data could have significant privacy and operational consequences.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized data access and potential data integrity violations. Exposure of student enrollment histories could lead to privacy breaches, contravening GDPR requirements and resulting in regulatory penalties. Manipulation of enrollment data could disrupt administrative workflows, affecting student registrations, class assignments, and reporting. The remote and unauthenticated nature of the exploit increases the threat surface, especially for institutions with externally accessible i-Educar instances. This could undermine trust in educational services and necessitate costly incident response efforts. Furthermore, the availability of a public exploit increases the likelihood of opportunistic attacks targeting vulnerable deployments in Europe.

Organizations should immediately audit their i-Educar deployments to identify affected versions (2.0 through 2.10). Since no official patch links are provided, it is critical to contact Portabilis for security updates or apply any available vendor advisories promptly. In the interim, restrict external access to the /enrollment-history/ endpoint via network-level controls such as firewalls or web application firewalls (WAFs) to limit exposure. Implement strict access control policies and monitor logs for unusual access patterns related to enrollment history data. Employ network segmentation to isolate the i-Educar system from public networks where possible. Additionally, conduct thorough security assessments and penetration tests focusing on access control mechanisms within i-Educar. Educate administrative staff about the vulnerability and encourage prompt reporting of suspicious activity. Finally, ensure that backups of enrollment data are maintained securely to enable recovery in case of data tampering.