CVE-2025-10844 is a SQL injection vulnerability identified in the Portabilis i-Educar software, versions 2.0 through 2.10. The vulnerability resides in an unspecified functionality within the /module/Cadastro/aluno file, which handles student registration or data. An attacker can remotely exploit this flaw by manipulating an input argument to inject malicious SQL commands into the backend database queries. This injection can lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of the educational data managed by the system. The vulnerability requires low privileges (PR:L), meaning an attacker must have some level of authenticated access, but no user interaction is needed (UI:N). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), and partial impact on confidentiality, integrity, and availability (each marked as low). Although no public exploits are currently known in the wild, the disclosure of the vulnerability increases the risk of exploitation. The lack of available patches at the time of publication necessitates immediate mitigation efforts. i-Educar is an educational management system used primarily in Brazil and some other countries, but its adoption in Europe is limited, though some institutions may use it or similar platforms. The vulnerability highlights the importance of input validation and secure coding practices in web applications managing sensitive educational data.

For European organizations using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive student data, including personal information and academic records. Exploitation could lead to data breaches, manipulation of educational records, or denial of service through database corruption. The integrity of student data is critical for compliance with GDPR and other data protection regulations in Europe; thus, exploitation could result in legal and reputational damage. Additionally, attackers could leverage this vulnerability as a foothold to pivot within the network, potentially compromising other systems. Given the medium severity and requirement for low privilege, the threat is moderate but should not be underestimated, especially in institutions with limited cybersecurity resources. The impact extends beyond data loss to potential disruption of educational services, affecting students, staff, and administrative operations.

1. Immediate mitigation should include restricting access to the /module/Cadastro/aluno endpoint to trusted users and networks only, using network segmentation and firewall rules. 2. Implement strict input validation and parameterized queries or prepared statements in the affected module to prevent SQL injection. 3. Monitor logs for unusual database query patterns or repeated failed attempts to manipulate input parameters. 4. Apply the vendor's patches or updates as soon as they become available; if patches are not yet released, consider temporary workarounds such as disabling the vulnerable module or limiting its functionality. 5. Conduct a thorough security audit of the entire i-Educar deployment to identify and remediate other potential injection points. 6. Educate administrators and users about the risks and signs of exploitation attempts. 7. Employ web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting this specific endpoint. 8. Regularly back up databases and ensure backups are stored securely to enable recovery in case of data corruption or loss.