CVE-2025-10845 identifies an SQL injection vulnerability in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the /module/ComponenteCurricular/view endpoint, where the ID parameter is not properly sanitized before being used in SQL queries. This improper input validation allows an attacker to craft malicious input that alters the intended SQL command, potentially leading to unauthorized data access or manipulation. The vulnerability can be exploited remotely without user interaction, but requires low-level privileges on the system. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the attack vector is network-based, the attack complexity is low, and no authentication is needed. The impact covers confidentiality, integrity, and availability, though with limited scope and impact severity (low impact on each). While no known exploits are currently active in the wild, proof-of-concept exploit code has been published, increasing the likelihood of exploitation attempts. The vulnerability affects educational institutions using i-Educar, a platform widely deployed in some European countries. The lack of vendor patches at the time of publication necessitates immediate mitigation efforts to prevent exploitation. The vulnerability underscores the importance of secure coding practices, especially input validation and parameterized queries, in web applications handling sensitive educational data.

The SQL injection vulnerability in i-Educar could have significant impacts on European educational organizations using this platform. Exploitation could lead to unauthorized disclosure of sensitive student and staff data, including personal information and academic records, thereby violating data protection regulations such as GDPR. Attackers could also modify or delete critical data, undermining data integrity and disrupting educational operations. Availability could be affected if attackers execute commands that degrade or crash the database service, causing downtime. The medium CVSS score reflects moderate risk, but the presence of publicly available exploit code increases the urgency. European institutions with limited cybersecurity resources may face challenges in timely detection and response. The breach of confidentiality and integrity could result in reputational damage, regulatory penalties, and loss of trust. Additionally, attackers could leverage the compromised system as a foothold for further network intrusion. Given the remote exploitability and lack of required user interaction, the threat is accessible to a wide range of adversaries, including opportunistic attackers and cybercriminals targeting educational data.

To mitigate CVE-2025-10845, organizations should immediately inventory their i-Educar deployments and verify affected versions. Although no official patches are listed yet, organizations should monitor vendor communications closely and apply patches as soon as they become available. In the interim, implement strict input validation and sanitization on the ID parameter at the application or web server level to block malicious SQL payloads. Employ web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting the vulnerable endpoint. Conduct thorough database activity monitoring to identify anomalous queries indicative of exploitation attempts. Restrict database user privileges to the minimum necessary to limit the impact of any successful injection. Network segmentation should isolate the i-Educar servers from critical infrastructure to contain potential breaches. Regularly back up databases and verify backup integrity to enable recovery from data corruption or deletion. Educate IT staff and users about the risks and signs of exploitation. Finally, consider deploying runtime application self-protection (RASP) tools to detect and prevent injection attacks in real time.