CVE-2025-65024 is a time-based SQL injection vulnerability identified in the open-source school management software i-educar, specifically affecting versions 2.10.0 and earlier. The vulnerability resides in the agenda_admin_cad.php script, where the GET parameter cod_agenda is concatenated directly into an SQL query without proper sanitization or parameterization. This improper neutralization of special SQL elements (CWE-89) allows an attacker with an authenticated session to inject arbitrary SQL commands, potentially leading to unauthorized data disclosure, data modification, or denial of service. The attack vector requires network access and valid credentials (PR:H), but no additional user interaction is necessary. The vulnerability affects confidentiality, integrity, and availability of the database backend. Although no exploits have been reported in the wild yet, the vulnerability is rated high severity with a CVSS 3.1 score of 7.2, reflecting its potential impact. The issue has been addressed in a patch (commit 3e9763a), which corrects the input handling by properly sanitizing or parameterizing the cod_agenda parameter to prevent injection. Organizations using i-educar should apply this patch immediately to mitigate risk.

For European organizations, particularly educational institutions using i-educar, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive student and staff data, manipulation or deletion of records, and disruption of school management operations. The compromise of confidentiality could violate GDPR requirements, leading to regulatory penalties and reputational damage. Integrity violations could affect the accuracy of academic records and scheduling, while availability impacts could disrupt critical administrative functions. Since exploitation requires authenticated access, insider threats or compromised credentials increase risk. The potential for lateral movement or privilege escalation within the network also exists if attackers leverage this vulnerability. Given the critical role of school management systems, the operational and compliance impacts are substantial.

1. Immediately apply the official patch provided by portabilis (commit 3e9763a) to all affected i-educar instances. 2. Restrict access to the i-educar application to trusted users and networks using network segmentation and access controls. 3. Enforce strong authentication mechanisms and regularly review user privileges to minimize the risk of credential compromise. 4. Implement web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the cod_agenda parameter. 5. Conduct regular security audits and code reviews to identify and remediate similar injection flaws. 6. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. 7. Educate administrators and users about the risks of credential sharing and phishing attacks that could lead to session compromise. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attacks in real time. 9. Backup critical data regularly and verify restoration procedures to minimize impact from potential data corruption or deletion.