CVE-2025-9606 is a medium-severity SQL Injection vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability exists in an unspecified functionality within the file /intranet/agenda_preferencias.php, where manipulation of the 'cod_agenda' parameter allows an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring user interaction or elevated privileges, making it accessible to unauthenticated attackers with network access to the affected system. The vulnerability impacts the confidentiality, integrity, and availability of the underlying database by potentially allowing unauthorized data access, modification, or deletion. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The lack of available patches at the time of publication necessitates immediate mitigation efforts. Given that i-Educar is an educational management system, exploitation could lead to unauthorized access to sensitive student and institutional data, disruption of educational services, and potential reputational damage to affected organizations.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of personal data protected under GDPR, including student records and staff information, resulting in legal and financial consequences. Integrity violations could corrupt academic records or schedules, disrupting institutional operations. Availability impacts could cause denial of service to critical educational functions, affecting teaching and administrative workflows. The medium severity rating suggests that while exploitation is feasible, the impact is somewhat limited compared to critical vulnerabilities; however, the sensitive nature of educational data and the regulatory environment in Europe amplify the potential consequences. Organizations may face compliance issues, loss of trust, and operational interruptions if this vulnerability is exploited.

1. Immediate mitigation should include implementing strict input validation and parameterized queries or prepared statements for the 'cod_agenda' parameter to prevent SQL injection. 2. If source code modification is not immediately feasible, deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. 3. Restrict network access to the intranet and administrative interfaces to trusted IP ranges and enforce strong authentication mechanisms to reduce exposure. 4. Monitor logs for suspicious activities related to the agenda_preferencias.php endpoint, including anomalous parameter values or repeated access attempts. 5. Engage with Portabilis for official patches or updates and apply them promptly once available. 6. Conduct security awareness training for administrators to recognize and respond to potential exploitation attempts. 7. Regularly back up databases and test restoration procedures to minimize data loss in case of compromise.