CVE-2025-65024
📋 TL;DR
An authenticated time-based SQL injection vulnerability in i-Educar school management software allows attackers with valid user sessions to execute arbitrary SQL commands against the database. This affects i-Educar versions 2.10.0 and earlier. The vulnerability exists in the agenda_admin_cad.php script where the cod_agenda parameter is improperly handled.
💻 Affected Systems
- i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Data exfiltration of sensitive student/teacher information, manipulation of academic records, and potential lateral movement within the database.
If Mitigated
Limited impact with proper network segmentation, database permissions, and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 3e9763a and later
Vendor Advisory: https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghx
Restart Required: No
Instructions:
1. Update to the latest i-Educar version containing commit 3e9763a. 2. Apply the patch manually if using older version. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize suspicious SQL patterns in the cod_agenda parameter
WAF-specific configuration required
Access Restriction
linuxRestrict access to /ieducar/intranet/agenda_admin_cad.php to only necessary users
# Apache: <Location /ieducar/intranet/agenda_admin_cad.php>
Require ip 192.168.1.0/24
</Location>
# Nginx: location ~ /ieducar/intranet/agenda_admin_cad.php {
allow 192.168.1.0/24;
deny all;
}
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the cod_agenda parameter
- Apply network segmentation to isolate the i-Educar application from critical database servers
🔍 How to Verify
Check if Vulnerable:
Test the /ieducar/intranet/agenda_admin_cad.php endpoint with SQL injection payloads in the cod_agenda parameter while authenticated.Check Version:
Check i-Educar version in admin panel or review git commit history for version 2.10.0 or earlier.Verify Fix Applied:
Verify that commit 3e9763a is present in your codebase and test that SQL injection attempts no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple rapid requests to agenda_admin_cad.php with varying cod_agenda values
- Database queries with unusual timing patterns
Network Indicators:
- HTTP requests to agenda_admin_cad.php with SQL syntax in parameters
- Unusual database traffic patterns from application server
SIEM Query:
source="web_logs" AND uri="/ieducar/intranet/agenda_admin_cad.php" AND (param="cod_agenda" AND value MATCHES "(?i)(SELECT|UNION|SLEEP|WAITFOR|BENCHMARK)")