CVE-2025-10608 is a medium-severity vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability arises from improper access controls in an unspecified function within the /enrollment-history/ endpoint or file. This flaw allows an attacker to remotely manipulate the system without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The vulnerability impacts confidentiality, integrity, and availability at a low level, indicating that unauthorized access or modification of enrollment history data is possible but likely limited in scope or impact. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P indicates network attack vector, low attack complexity, no authentication required beyond low privileges, no user interaction, and partial impacts on confidentiality, integrity, and availability. The exploit code is publicly available, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. The vulnerability affects multiple versions from 2.0 through 2.10, suggesting a long-standing issue that may be present in many deployments. The lack of patch links suggests that a fix may not yet be publicly available or is in progress. The vulnerability is particularly relevant to educational institutions or organizations using the i-Educar platform for managing enrollment and student data, where unauthorized access could lead to data leakage or manipulation of enrollment records.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability could lead to unauthorized access to sensitive student enrollment data, potentially violating data protection regulations such as GDPR. The improper access controls could allow attackers to view or alter enrollment histories, leading to data integrity issues and undermining trust in educational records. Although the impact is rated medium, the presence of publicly available exploit code increases the risk of exploitation, which could result in reputational damage, regulatory penalties, and operational disruptions. The remote attack vector means that attackers do not need physical access or user interaction, increasing the threat surface. Organizations relying on i-Educar for critical administrative functions may face challenges in maintaining data confidentiality and integrity until the vulnerability is remediated.

European organizations should immediately conduct an inventory to identify deployments of Portabilis i-Educar versions 2.0 through 2.10. Until a patch is available, implement network-level access controls to restrict access to the /enrollment-history/ endpoint, limiting it to trusted internal IP addresses or VPN users. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this endpoint. Monitor logs for unusual access patterns or attempts to exploit the vulnerability. Engage with Portabilis to obtain or expedite patches and apply them promptly once released. Additionally, conduct a thorough review of user privileges to ensure that only necessary personnel have access rights that could be leveraged in exploitation. Implement multi-factor authentication (MFA) for administrative access to reduce the risk of privilege escalation. Finally, prepare incident response plans specific to potential exploitation scenarios involving enrollment data compromise.