CVE-2025-9684 is a medium-severity SQL Injection vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability resides in the /module/FormulaMedia/edit component, specifically within the Formula de Cálculo de Média Page. The issue arises due to improper sanitization or validation of the 'ID' argument, which allows an attacker to inject malicious SQL code. This flaw can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing attackers to read, modify, or delete sensitive educational data. Although the CVSS score is moderate (5.3), the presence of remote exploitability and lack of user interaction requirements make this a significant concern. No public exploits are currently known in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects all versions from 2.0 through 2.10 of i-Educar, a widely used open-source school management system primarily deployed in educational institutions. The lack of available patches or official remediation guidance at the time of publication necessitates immediate attention from administrators to mitigate risk.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive student and administrative data. Exploitation could lead to data breaches involving personal information, academic records, and potentially financial data, undermining privacy compliance obligations such as GDPR. Integrity of educational records could be compromised, affecting trust and operational continuity. Availability could also be impacted if attackers manipulate or delete critical data, disrupting school management processes. Given the remote and unauthenticated nature of the exploit, attackers could leverage this vulnerability to establish persistent access or pivot within networks. The medium severity score suggests moderate but tangible risk, especially in environments lacking robust network segmentation or monitoring. European educational bodies with limited cybersecurity resources may be particularly vulnerable to exploitation attempts following public disclosure.

Administrators should immediately audit their i-Educar installations to identify affected versions and restrict access to the /module/FormulaMedia/edit endpoint through network controls such as firewalls or web application firewalls (WAFs). Implement input validation and parameterized queries in the application code to prevent SQL injection, if source code access and development resources are available. Until an official patch is released, consider deploying virtual patching via WAF rules that detect and block suspicious SQL injection patterns targeting the 'ID' parameter. Regularly monitor logs for anomalous database queries or access attempts to this module. Conduct thorough backups of critical data to enable recovery in case of data integrity compromise. Engage with the vendor or community to obtain updates or patches promptly. Additionally, apply the principle of least privilege to database accounts used by i-Educar, limiting their permissions to reduce potential damage from exploitation.