CVE-2025-9236 is a medium severity SQL Injection vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. The vulnerability resides in the /intranet/educar_tipo_usuario_lst.php file, specifically within the 'Tipos de usuário' page component. The flaw arises from improper sanitization or validation of the 'nm_tipo' or 'descrição' input parameters, which an attacker can manipulate to inject malicious SQL code. This injection can be performed remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing unauthorized data access, modification, or deletion. Although the CVSS score is moderate (5.3), the vulnerability's ease of exploitation and remote attack vector make it a significant concern. The vendor has not responded to disclosure attempts, and no patches or mitigations have been published yet. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation by threat actors. The vulnerability affects a widely used educational management system, which is critical for managing user roles and data within educational institutions.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive student and staff data, including personal information and academic records. Exploitation could lead to data breaches, loss of data integrity, and disruption of educational services. Given the remote exploitability without authentication, attackers could leverage this vulnerability to compromise school intranets, potentially pivoting to other internal systems. This could result in reputational damage, regulatory penalties under GDPR due to data exposure, and operational downtime. The impact is particularly severe for institutions relying heavily on i-Educar for user management and administrative functions, as the injected SQL could manipulate user roles or extract confidential data. The lack of vendor response and patches increases the urgency for organizations to implement compensating controls.

Since no official patches are available, European organizations should immediately implement input validation and sanitization at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads targeting the 'nm_tipo' and 'descrição' parameters. Deploying parameterized queries or prepared statements within custom integrations or extensions can reduce risk if source code access is available. Network segmentation should isolate the i-Educar system from critical internal resources to limit lateral movement. Monitoring and logging of database queries and web requests for anomalous patterns related to SQL injection attempts should be enhanced. Organizations should also consider temporary disabling or restricting access to the vulnerable component if feasible. Regular backups of the database are essential to recover from potential data manipulation. Finally, organizations should engage with Portabilis or community forums for updates and consider alternative solutions if remediation is delayed.