CVE-2025-8790 is a medium-severity vulnerability affecting Portabilis i-Educar versions up to 2.9.0. The flaw resides in the API endpoint located at /module/Api/pessoa, where improper authorization occurs due to insufficient validation of the ID argument. This allows an unauthenticated remote attacker to manipulate the ID parameter to bypass authorization controls. The vulnerability does not require user interaction and can be exploited over the network without prior authentication, making it accessible to remote attackers. The CVSS 4.0 base score is 5.3, reflecting a medium impact primarily due to limited confidentiality impact and no integrity or availability impact. The vulnerability was disclosed publicly, but the vendor has not responded or provided patches, increasing the risk of exploitation. Although no known exploits are currently in the wild, the public disclosure and lack of vendor response elevate the threat level. The vulnerability could allow unauthorized access to sensitive personal data managed by the i-Educar system, which is an education management platform widely used to handle student and staff information. Improper authorization in such a system could lead to data leakage or unauthorized data manipulation, potentially violating privacy regulations and undermining trust in educational institutions using the software.

For European organizations, particularly educational institutions using Portabilis i-Educar or similar education management systems, this vulnerability poses a risk of unauthorized access to personal data of students, staff, and other stakeholders. Given the sensitive nature of educational records, exploitation could lead to breaches of GDPR and other privacy laws, resulting in legal penalties and reputational damage. The improper authorization could allow attackers to view or potentially alter personal information, compromising data confidentiality and integrity. While the vulnerability does not directly affect system availability, the indirect consequences such as regulatory fines, loss of stakeholder trust, and operational disruptions due to incident response could be significant. The risk is heightened by the vendor's lack of response and absence of patches, leaving organizations exposed. European educational entities that rely on this software for administrative and academic management are particularly vulnerable, and the impact could extend to national education authorities if centralized deployments exist.

Organizations should immediately conduct an inventory to identify any deployments of Portabilis i-Educar versions 2.0 through 2.9.0. Until a vendor patch is available, implement strict network-level access controls to restrict access to the /module/Api/pessoa endpoint only to trusted internal IP addresses or VPN users. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the ID parameter. Conduct thorough logging and monitoring of API access to detect anomalous requests indicative of exploitation attempts. If possible, implement additional application-layer authorization checks or temporary patches to validate user permissions before processing ID parameters. Educate IT and security teams about the vulnerability and prepare incident response plans in case exploitation is detected. Engage with the vendor or community for updates or unofficial patches. Finally, consider isolating or segmenting the affected systems to minimize exposure until a secure version is released.