CVE-2025-9531 is a SQL Injection vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the Agenda Module within the /intranet/agenda.php file. The issue arises from improper sanitization or validation of the 'cod_agenda' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL code. This injection flaw allows attackers to interfere with the backend database queries, potentially enabling unauthorized data access, data modification, or even deletion. The vulnerability does not require user interaction or authentication, increasing its risk profile. Although the CVSS 4.0 base score is 5.3 (medium severity), the exploitability is high due to the network attack vector and lack of required privileges. The vendor was notified but has not responded or provided patches, and while no exploits are currently known in the wild, public exploit code is available, increasing the likelihood of exploitation. The vulnerability impacts the confidentiality, integrity, and availability of the affected systems, as attackers could extract sensitive educational data, alter records, or disrupt service availability.

For European organizations using Portabilis i-Educar, particularly educational institutions and government education departments, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of student and staff personal data, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Integrity of educational records could be compromised, affecting academic outcomes and institutional trust. Availability impacts could disrupt educational services, causing operational downtime. Given that i-Educar is an education management system, the exposure of sensitive data and service disruption could have wide-reaching consequences for schools and municipalities relying on this software. The lack of vendor response and patch availability increases the urgency for European organizations to implement mitigations proactively.

Organizations should immediately audit their deployments of Portabilis i-Educar to identify affected versions (2.0 to 2.10). Since no official patches are available, mitigations include: 1) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'cod_agenda' parameter. 2) Applying input validation and sanitization at the application or proxy level to neutralize malicious input. 3) Restricting network access to the intranet module to trusted IP ranges to reduce exposure. 4) Monitoring logs for suspicious query patterns or repeated access attempts to /intranet/agenda.php. 5) Planning for an upgrade or migration to a patched or alternative platform once available. Additionally, organizations should review database permissions to ensure the application uses least privilege principles, limiting the potential damage from a successful injection.