CVE-2025-9236 is a SQL Injection vulnerability identified in the Portabilis i-Diario software, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the /intranet/educar_tipo_usuario_lst.php file within the 'Tipos de usuário' page component. The issue arises from improper sanitization or validation of the 'nm_tipo' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw can be exploited to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or database corruption. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently reported in the wild, though public disclosure of the exploit code exists. This vulnerability is critical for organizations using Portabilis i-Diario, a platform commonly used in educational environments for managing school diaries and related administrative tasks. Exploitation could lead to unauthorized access to sensitive student or staff data and disruption of educational services.

For European organizations, particularly educational institutions or government bodies using Portabilis i-Diario, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of personal data protected under GDPR, including student records, grades, and staff information, resulting in legal and reputational damage. Data integrity could be compromised, affecting the reliability of academic records and administrative processes. Availability impacts may disrupt school operations, causing administrative delays. Given the remote exploitability and lack of required authentication, attackers could target these systems en masse. The medium severity rating suggests moderate but tangible risks, especially in environments where sensitive educational data is managed. The lack of vendor response and patches increases the risk window, making timely mitigation essential to prevent potential breaches and compliance violations.

Organizations should immediately audit their use of Portabilis i-Diario versions 2.0 through 2.10 and isolate affected systems. Since no official patch is available, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'nm_tipo' parameter. Employ input validation and sanitization at the application or proxy level to filter malicious payloads. Restrict network access to the intranet component hosting the vulnerable page, limiting exposure to trusted IP addresses only. Monitor logs for suspicious query patterns or unusual database activity indicative of exploitation attempts. Consider deploying database activity monitoring tools to detect anomalous SQL commands. Engage with Portabilis for updates and patches, and plan for an upgrade once a fix is released. Additionally, conduct security awareness training for administrators to recognize and respond to potential exploitation signs. Regular backups of affected databases should be maintained to enable recovery in case of data tampering.