CVE-2025-65022 is an authenticated time-based SQL injection vulnerability identified in the portabilis i-educar school management software, specifically in versions 2.10.0 and earlier. The vulnerability resides in the ieducar/intranet/agenda.php script, where the cod_agenda request parameter is concatenated directly into SQL queries without proper sanitization or parameterization. This improper neutralization of special elements (CWE-89) allows an attacker with an authenticated session to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity due to the lack of additional barriers. The CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates that while privileges are required, the impact on confidentiality, integrity, and availability is high. The issue has been addressed in a patch (commit b473f92), which corrects the input handling to prevent SQL injection. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on i-educar for school management.

For European organizations, particularly educational institutions using i-educar, this vulnerability could lead to severe consequences including unauthorized disclosure of sensitive student and staff data, alteration or deletion of critical records, and potential disruption of school management operations. The compromise of confidentiality could expose personal identifiable information (PII), violating GDPR and other data protection regulations, leading to legal and financial penalties. Integrity breaches could undermine trust in the system’s data accuracy, affecting administrative decisions and reporting. Availability impacts could disrupt educational services, causing operational downtime. Given the authenticated nature of the exploit, insider threats or compromised user accounts pose a significant risk. The lack of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency for patching to prevent potential targeted attacks in the European education sector.

1. Immediately apply the official patch or update to i-educar that addresses CVE-2025-65022 (commit b473f92). 2. Implement strict input validation and parameterized queries for all user-supplied data, especially the cod_agenda parameter, to prevent SQL injection. 3. Restrict user privileges to the minimum necessary, limiting access to sensitive functions and data within the application. 4. Monitor authenticated sessions for unusual activity that may indicate exploitation attempts. 5. Conduct regular security audits and code reviews focusing on input handling and database interactions. 6. Employ web application firewalls (WAFs) with rules tuned to detect and block SQL injection attempts targeting i-educar. 7. Educate administrators and users on secure authentication practices to reduce the risk of credential compromise. 8. Maintain up-to-date backups of the database to enable recovery in case of data integrity or availability incidents.