CVE-2025-65022 is a time-based SQL injection vulnerability identified in the portabilis i-educar school management software, specifically in versions 2.10.0 and prior. The flaw exists in the ieducar/intranet/agenda.php script where the cod_agenda request parameter is concatenated directly into SQL queries without proper sanitization or parameterization. This improper neutralization of special elements (CWE-89) allows an attacker with an authenticated session to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is exploitable remotely over the network without user interaction but requires valid authentication, which limits exposure to insiders or compromised accounts. The CVSS 3.1 base score of 7.2 reflects high severity due to the network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the vulnerability poses a significant risk to the integrity of educational data managed by i-educar. The issue has been addressed in a patch identified by commit b473f92, which properly sanitizes the cod_agenda parameter to prevent injection. Organizations using affected versions should prioritize upgrading to patched releases and review their authentication and session management controls to mitigate risk.

For European organizations, particularly educational institutions using i-educar, this vulnerability can lead to severe consequences including unauthorized access to sensitive student and staff data, manipulation or deletion of records, and disruption of school management operations. The compromise of confidentiality could expose personal data protected under GDPR, leading to regulatory penalties and reputational damage. Integrity violations may result in incorrect academic records or attendance data, affecting educational outcomes and trust. Availability impacts could disrupt administrative functions, causing operational delays. Since exploitation requires authenticated access, insider threats or credential compromise are primary concerns. The widespread use of i-educar in some European countries' public education sectors amplifies the potential impact. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within educational networks.

1. Immediately apply the official patch that addresses CVE-2025-65022 as identified in commit b473f92 to all affected i-educar instances. 2. Enforce strict access controls and least privilege principles to limit authenticated user capabilities, reducing the risk posed by compromised accounts. 3. Implement multi-factor authentication (MFA) to strengthen authentication security and reduce the likelihood of unauthorized access. 4. Conduct thorough code reviews and penetration testing focusing on input validation and SQL query construction to identify and remediate similar injection risks. 5. Monitor database logs and application behavior for unusual query patterns indicative of SQL injection attempts. 6. Educate administrative users about phishing and credential security to prevent account compromise. 7. Consider network segmentation to isolate school management systems from broader organizational networks, limiting lateral movement. 8. Regularly back up databases and verify backup integrity to enable recovery in case of data corruption or deletion.