Login Sign Up

CVE-2025-11554

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Portabilis i-Educar allows attackers to escalate privileges through insecure inherited permissions in the User Type Handler component. Attackers can remotely exploit this to gain unauthorized access to sensitive functions. All users running i-Educar up to version 2.9.10 are affected.

💻 Affected Systems

Products:
  • Portabilis i-Educar
Versions: Up to and including 2.9.10
Operating Systems: Linux, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with default configurations are vulnerable. The vulnerability exists in the AccessLevelController.php file.

📦 What is this software?

I Educar by Portabilis

View all CVEs affecting I Educar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges, allowing complete system compromise, data theft, and further lateral movement within the network.

🟠

Likely Case

Unauthorized users gain elevated permissions to access sensitive student/teacher data, modify grades, or alter system configurations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to attempted privilege escalation that can be detected and blocked.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires authenticated access but can be combined with other vulnerabilities. Public exploit code is available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.11 or later

Vendor Advisory: https://github.com/portabilis/i-educar

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update to i-Educar version 2.9.11 or later. 3. Verify the AccessLevelController.php file has been updated. 4. Test user permission inheritance functionality.

🔧 Temporary Workarounds

Restrict Access to AccessLevelController

all

Temporarily restrict direct access to the vulnerable controller file

chmod 600 app/Http/Controllers/AccessLevelController.php
Add IP-based restrictions in web server configuration

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate i-Educar instances
  • Enable detailed logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if app/Http/Controllers/AccessLevelController.php exists and compare hash with known vulnerable versions

Check Version:

php artisan --version or check composer.json

Verify Fix Applied:

Verify version is 2.9.11+ and test user permission inheritance with non-admin accounts

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed permission inheritance requests
  • Unusual user permission changes
  • Access to AccessLevelController from unexpected IPs

Network Indicators:

  • HTTP POST requests to AccessLevelController endpoints
  • Unusual authentication patterns

SIEM Query:

source="i-educar-logs" AND (event="permission_change" OR controller="AccessLevelController")

📊 Metadata

CVE ID: CVE-2025-11554
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.07% exploit probability (22th percentile)
Published: October 9, 2025
Last Updated: November 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11554, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)