CVE-2025-11049 – CVE-2025-11049 is an improper authorization vul... (How to Fix)

Q: What is the severity of CVE-2025-11049?

CVE-2025-11049 has a CVSS score of 6.3 (MEDIUM). CVE-2025-11049 is an improper authorization vulnerability in Portabilis i-Educar's /unificacao-aluno endpoint that allows unauthorized access to student unification functionality. Attackers can exploit this remotely to perform unauthorized actions. All i-Educar installations up to version 2.10 are affected.

📋 TL;DR

CVE-2025-11049 is an improper authorization vulnerability in Portabilis i-Educar's /unificacao-aluno endpoint that allows unauthorized access to student unification functionality. Attackers can exploit this remotely to perform unauthorized actions. All i-Educar installations up to version 2.10 are affected.

💻 Affected Systems

Products:

Portabilis i-Educar

Versions: Up to and including version 2.10

Operating Systems: Any OS running i-Educar

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the /unificacao-aluno endpoint accessible are vulnerable by default.

📦 What is this software?

I Educar by Portabilis

View all CVEs affecting I Educar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate student records, merge unauthorized student data, or disrupt educational administration systems leading to data integrity issues and privacy violations.

🟠

Likely Case

Unauthorized users accessing student unification functionality to view or modify student records without proper permissions.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to unauthorized access attempts that are logged and blocked.

🌐 Internet-Facing: HIGH - Remote exploitation is possible and public exploit exists, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this vulnerability to escalate privileges or access unauthorized data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit is publicly available on GitHub and requires some authentication but bypasses authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.11 or later

Vendor Advisory: https://github.com/portabilis/i-educar

Restart Required: No

Instructions:

1. Backup your i-Educar installation and database. 2. Update to i-Educar version 2.11 or later. 3. Verify the /unificacao-aluno endpoint now requires proper authorization.

🔧 Temporary Workarounds

Block Unauthorized Access to Endpoint

all

Temporarily restrict access to the vulnerable endpoint using web server configuration or firewall rules.

# Apache: RewriteRule ^/unificacao-aluno - [F]
# Nginx: location /unificacao-aluno { deny all; }

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the i-Educar application.
Enable detailed logging and monitoring for unauthorized access attempts to the /unificacao-aluno endpoint.

🔍 How to Verify

Check if Vulnerable:

Attempt to access /unificacao-aluno endpoint with a user account that shouldn't have student unification privileges. If accessible, system is vulnerable.

Check Version:

Check i-Educar version in application settings or via: grep -r 'version' /path/to/i-educar/config/

Verify Fix Applied:

After patching, verify that unauthorized users cannot access the /unificacao-aluno endpoint and proper authorization checks are enforced.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /unificacao-aluno endpoint
Student record modifications from unexpected users

Network Indicators:

HTTP requests to /unificacao-aluno from unauthorized IPs or users

SIEM Query:

source="web_server" AND (uri="/unificacao-aluno" OR uri LIKE "%/unificacao-aluno%") AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2025-11049

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: September 27, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20%20in%20%60.unificacao-aluno%60%20Endpoint.md Broken Link
https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11049.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.326086 Permissions Required,VDB Entry
https://vuldb.com/?id.326086 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.659203 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11049, you might also want to check these: