CVE-2025-10844 is a SQL Injection vulnerability identified in the Portabilis i-Educar platform, affecting versions 2.0 through 2.10. The vulnerability resides in an unspecified functionality within the /module/Cadastro/aluno file, where improper handling of an input argument allows an attacker to inject malicious SQL commands. This flaw enables remote exploitation without requiring user interaction or prior authentication, as indicated by the CVSS vector. The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing attackers to extract sensitive data, modify or delete records, or disrupt service availability. The CVSS 4.0 score of 5.3 classifies this as a medium severity issue, reflecting moderate impact and relatively low complexity of exploitation. Although no public exploits are currently known to be actively used in the wild, the disclosure of the vulnerability and its exploit details increases the risk of future attacks. Given that i-Educar is an educational management system, the vulnerability could expose sensitive student and institutional data, posing privacy and operational risks.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability could lead to unauthorized access to personal data of students, staff, and faculty, violating GDPR and other data protection regulations. The integrity of academic records and administrative data could be compromised, potentially affecting enrollment, grading, and reporting processes. Availability disruptions could hinder educational operations, causing reputational damage and operational delays. The medium severity rating suggests that while the risk is not critical, exploitation could still result in significant data breaches or service interruptions. European entities must consider the legal and compliance ramifications of such data exposure, as well as the potential for targeted attacks leveraging this vulnerability to gain footholds within educational networks.

Organizations should prioritize updating Portabilis i-Educar to a patched version once available from the vendor, as no patch links are currently provided. In the interim, applying web application firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting the /module/Cadastro/aluno endpoint can reduce exposure. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters related to student registration modules. Employ database access controls to limit the privileges of the application user, minimizing the impact of any successful injection. Regularly audit logs for suspicious SQL queries or anomalies. Additionally, implement network segmentation to isolate the educational management system from critical infrastructure and sensitive data stores. Educate IT staff on monitoring for exploitation attempts and prepare incident response plans specific to web application attacks.