CVE-2025-9607 is a medium-severity SQL Injection vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. The flaw exists in an unspecified functionality within the /module/TabelaArredondamento/view component, specifically the Tabelas de Arredondamento Page. The vulnerability arises from improper sanitization or validation of the 'ID' argument, which can be manipulated by an attacker to inject malicious SQL code. This injection can be executed remotely without requiring user interaction, and with low attack complexity. The CVSS 4.0 vector indicates that the attack requires low privileges (PR:L), no user interaction (UI:N), and no scope change (S:U). The impact on confidentiality, integrity, and availability is low, suggesting limited data exposure or modification potential. Although no known exploits are currently observed in the wild, a public exploit has been published, increasing the risk of exploitation. The vulnerability does not have an official patch link provided, indicating that affected organizations should monitor vendor communications for updates or consider mitigations such as input validation and web application firewalls. The vulnerability's presence in an educational management system like i-Educar could allow attackers to access or manipulate educational data, potentially impacting data integrity and privacy.

For European organizations using Portabilis i-Educar, particularly educational institutions or government bodies managing education systems, this vulnerability could lead to unauthorized access or modification of sensitive educational data. Although the impact is rated as low on confidentiality, integrity, and availability, exploitation could still disrupt educational operations or lead to data integrity issues, undermining trust in the system. The remote exploitability without user interaction increases the risk of automated attacks. Given the educational sector's critical role and the sensitivity of student and institutional data, even limited data manipulation or leakage could have regulatory and reputational consequences under GDPR and other data protection laws in Europe. Furthermore, exploitation could serve as a foothold for further attacks within the network if combined with other vulnerabilities.

European organizations should immediately audit their use of Portabilis i-Educar to identify affected versions (2.0 to 2.10). In the absence of an official patch, organizations should implement strict input validation and sanitization on all user-supplied parameters, especially the 'ID' argument in the Tabelas de Arredondamento Page. Deploying Web Application Firewalls (WAFs) with SQL injection detection and prevention rules can help block exploitation attempts. Network segmentation should be enforced to limit access to the i-Educar system from untrusted networks. Monitoring and logging of database queries and web application logs should be enhanced to detect suspicious activity. Organizations should also subscribe to vendor advisories and CVE databases for timely patch releases and apply updates promptly once available. Conducting penetration testing focused on SQL injection vectors in the affected module can help identify residual risks.