CVE-2025-10763 is a medium-severity vulnerability affecting the academico-sis academico software, specifically in the Profile Picture Handler component accessible via the /edit-photo endpoint. The vulnerability allows an attacker to perform an unrestricted file upload remotely without requiring user interaction or elevated privileges beyond low-level privileges. This means an attacker with minimal access can upload arbitrary files to the server. The unrestricted upload flaw can lead to the placement of malicious files such as web shells or malware, potentially allowing remote code execution, server compromise, or further lateral movement within the affected environment. The product follows a rolling release strategy, but as of the disclosure date, no patch or vendor response has been provided. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality, integrity, and availability individually, but combined they can still lead to significant risk. The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploitation in the wild has been reported yet. The lack of vendor response and patch availability heightens the urgency for organizations to implement mitigations proactively. Since the vulnerability affects a component handling profile picture uploads, it is likely used in educational or academic management contexts, where user profile management is common.

For European organizations, particularly educational institutions or entities using academico-sis academico for academic management, this vulnerability poses a significant risk. Successful exploitation could allow attackers to upload malicious files, leading to unauthorized access, data breaches, or disruption of services. Confidentiality of sensitive student or staff data could be compromised, integrity of academic records altered, and availability of the system disrupted. Given the public disclosure and absence of patches, attackers may target these institutions to gain footholds or exfiltrate data. The impact is exacerbated in environments where the software is internet-facing or insufficiently segmented. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and a breach resulting from this vulnerability could lead to legal and financial penalties. The medium severity rating suggests a moderate but tangible risk that should not be ignored, especially in critical academic infrastructures.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /edit-photo endpoint via network controls such as IP whitelisting or VPN-only access to limit exposure. 2) Implementing strict file upload validation and filtering at the web server or application firewall level to block executable or suspicious file types. 3) Employing web application firewalls (WAFs) with custom rules to detect and block attempts to upload malicious payloads. 4) Monitoring logs for unusual upload activity or file types and setting up alerts for suspicious behavior. 5) Isolating the affected component in a sandboxed environment or container to limit potential damage. 6) Reviewing and tightening user privilege assignments to ensure only necessary users have upload capabilities. 7) Preparing incident response plans specific to web shell or malware detection. 8) Regularly backing up critical data and verifying restore procedures. Organizations should also track vendor communications for any forthcoming patches and plan timely updates once available.