CVE-2025-9608: Portabilis I-educar SQLi Vulnerability

CVE-2025-9608 Overview

CVE-2025-9608 is a SQL injection vulnerability in Portabilis i-Educar versions up to 2.10. The flaw resides in the /module/FormulaMedia/view endpoint, part of the Formula de Cálculo de Média page. Attackers can manipulate the id parameter to inject arbitrary SQL statements into backend database queries. The vulnerability requires low-privileged authentication but can be triggered remotely over the network. Public disclosure of the exploit details on GitHub increases the likelihood of opportunistic exploitation against exposed school management deployments. The issue is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Authenticated remote attackers can extract or modify database contents through blind time-based SQL injection in the id parameter, exposing student records and academic data.

Affected Products

Portabilis i-Educar versions up to and including 2.10
i-Educar FormulaMedia view module
Deployments exposing the /module/FormulaMedia/view endpoint

Discovery Timeline

2025-08-29 - CVE-2025-9608 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9608

Vulnerability Analysis

The vulnerability stems from unsanitized handling of the id parameter in the /module/FormulaMedia/view endpoint. The application concatenates user-supplied input directly into a SQL query without parameterization or input validation. Public proof-of-concept research classifies this as a blind time-based SQL injection. Attackers infer query results by observing response delays caused by injected SQL functions such as pg_sleep() or SLEEP(). Successful exploitation allows enumeration of database schemas, extraction of credentials, and potential modification of grading records stored in the i-Educar school management system.

Root Cause

The root cause is improper neutralization of special elements within a database query [CWE-74]. The id argument is interpolated into a SQL statement without the use of prepared statements or escape routines. Because i-Educar is a Brazilian school management platform handling student grade calculations, the affected module processes integer identifiers that should be strictly validated server-side before being placed into any query context.

Attack Vector

Exploitation requires network access to the i-Educar web application and a low-privileged authenticated session. The attacker submits a crafted HTTP request to /module/FormulaMedia/view with a malicious payload appended to the id query parameter. Blind time-based techniques rely on conditional time delays to extract data character by character. Public proof-of-concept material is available at the GitHub PoC for CVE-2025-9608 and the associated blind time-based SQL injection write-up.

No verified code examples are available. Refer to the linked advisories for full payload details.

Detection Methods for CVE-2025-9608

Indicators of Compromise

HTTP requests to /module/FormulaMedia/view containing SQL keywords such as SLEEP, pg_sleep, UNION, SELECT, or comment markers (--, /*) in the id parameter.
Anomalously long response times from the FormulaMedia endpoint indicative of time-based blind injection.
Web server access logs showing repeated authenticated requests to the endpoint from a single source with incrementally varied id values.

Detection Strategies

Deploy web application firewall (WAF) signatures matching SQL injection payloads targeting integer parameters on the i-Educar application path.
Monitor database server logs for queries originating from the i-Educar service account that contain conditional time functions or boolean tautologies.
Correlate authentication events with subsequent abnormal query volume from low-privileged user sessions.

Monitoring Recommendations

Enable verbose query logging on the database backend supporting i-Educar and forward logs to a centralized analytics platform.
Alert on HTTP 500 responses or repeated long-latency responses from /module/FormulaMedia/view.
Baseline normal id parameter values and flag non-numeric or oversized inputs at the reverse proxy.

How to Mitigate CVE-2025-9608

Immediate Actions Required

Restrict network access to the i-Educar application using IP allowlisting or VPN-only access until a patched release is applied.
Audit user accounts and revoke unnecessary low-privileged access that could be used to reach the vulnerable endpoint.
Review database and application logs for evidence of prior exploitation attempts targeting /module/FormulaMedia/view.

Patch Information

No vendor advisory or fixed version has been published in the NVD record at the time of writing. Administrators should monitor the Portabilis i-Educar repository and VulDB entry #321786 for updated patch information. Until a vendor patch is available, apply compensating controls described below.

Workarounds

Configure a WAF rule to block requests to /module/FormulaMedia/view where the id parameter contains non-numeric characters.
Place the application behind a reverse proxy that enforces strict parameter validation and rate limiting.
Limit database account permissions used by i-Educar to SELECT-only on required tables where feasible to reduce write-impact of successful injection.

bash

# Example NGINX rule restricting id to numeric values only
location /module/FormulaMedia/view {
    if ($arg_id !~ "^[0-9]+$") {
        return 400;
    }
    proxy_pass http://i-educar-backend;
}