CVE-2025-10012
📋 TL;DR
This CVE describes a SQL injection vulnerability in Portabilis i-Educar educational software versions up to 2.10. Attackers can exploit the 'ref_cod_aluno' parameter in the educar_historico_escolar_lst.php endpoint to execute arbitrary SQL commands. The vulnerability affects all i-Educar installations up to version 2.10 and can be exploited remotely without authentication.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive student data, administrative credentials, and potential system takeover through SQL injection leading to remote code execution.
Likely Case
Data exfiltration of student records, grades, personal information, and potential manipulation of academic records.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.
🎯 Exploit Status
Public exploit details available on GitHub. The vulnerability is a time-based blind SQL injection, requiring some technical skill but well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11 or later
Vendor Advisory: https://github.com/portabilis/i-educar
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Follow the upgrade instructions in the documentation. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the ref_cod_aluno parameter
Input Validation Filter
PHPAdd server-side validation to only accept numeric values for the ref_cod_aluno parameter
Modify educar_historico_escolar_lst.php to validate: if(!is_numeric($_GET['ref_cod_aluno'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict input validation for all user-supplied parameters
- Restrict database user permissions to minimum required access
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads: /educar_historico_escolar_lst.php?ref_cod_aluno=1' AND SLEEP(5)--Check Version:
Check the version in the i-Educar admin interface or review the software documentation filesVerify Fix Applied:
Attempt the same SQL injection test after patching - it should return an error or normal response without delay📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests with SQL keywords in parameters
- Requests to educar_historico_escolar_lst.php with suspicious parameters
Network Indicators:
- HTTP requests containing SQL injection patterns in the ref_cod_aluno parameter
- Unusual database query patterns from the application server
SIEM Query:
source="web_logs" AND uri="*educar_historico_escolar_lst.php*" AND (param="*ref_cod_aluno*" AND (value="*SLEEP*" OR value="*UNION*" OR value="*SELECT*"))🔗 References
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10012.md
- https://github.com/marcelomulder/CVE/blob/main/i-educar/SQL%20Injection%20(Blind%20Time-Based)%20Vulnerability%20in%20ref_cod_aluno%20Parameter%20on%20educar_historico_escolar_lst.php%20Endpoint.md
- https://vuldb.com/?ctiid.322737
- https://vuldb.com/?id.322737
- https://vuldb.com/?submit.643549
