CVE-2025-8790 is a medium-severity vulnerability affecting Portabilis i-Educar versions 2.0 through 2.9.0. The vulnerability resides in the API endpoint located at /module/Api/pessoa, where improper authorization occurs due to insufficient validation of the 'ID' argument. This flaw allows an unauthenticated remote attacker to manipulate the ID parameter to bypass authorization controls, potentially accessing or modifying data they should not have permission to. The vulnerability does not require user interaction or privileges to exploit, and the attack vector is network-based (remote). The CVSS 4.0 base score is 5.3, reflecting medium severity, with an attack complexity rated as low and no privileges or user interaction required. The vulnerability impacts confidentiality partially, as it allows unauthorized access to data, but does not affect integrity or availability. The vendor has been notified but has not responded or issued a patch, and no known exploits are currently observed in the wild, though public exploit details have been disclosed. This vulnerability is critical in the context of educational management systems, as i-Educar is widely used for managing student and school data, making unauthorized data access a significant concern.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive personal data of students, staff, and other stakeholders. Such unauthorized access could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Although the vulnerability does not directly impact system availability or integrity, the exposure of confidential data can facilitate further attacks such as identity theft or social engineering. The lack of vendor response and patch availability increases the risk exposure period. European educational institutions that rely on i-Educar for student information systems may face compliance challenges and operational risks if exploited. Additionally, attackers could leverage this vulnerability to gather intelligence or disrupt administrative processes remotely, given the network-accessible nature of the API endpoint.

Organizations should immediately audit their deployment of Portabilis i-Educar to identify affected versions (2.0 through 2.9.0). In the absence of an official patch, implement strict network-level access controls to restrict API endpoint access to trusted internal networks or VPNs. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the ID parameter in API requests. Conduct thorough logging and monitoring of API access to detect anomalous behavior indicative of exploitation attempts. Where feasible, apply temporary compensating controls such as input validation proxies or API gateways that enforce authorization checks. Engage with Portabilis or the community for updates or unofficial patches. Additionally, review and reinforce data access policies and ensure minimal privilege principles are enforced within the application. Prepare incident response plans specific to unauthorized data access scenarios.