CVE-2025-9531 CVE-2025-9531

CVE-2025-9531

Introduction

While exploring i-Educar, I uncovered a critical time-based blind SQL Injection vulnerability in the cod_agenda parameter of the /intranet/agenda.php endpoint.

This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.


What is CVE-2025-9531?

The CVE-2025-9531 is a SQL Injection vulnerability in the /intranet/agenda.php endpoint of the i-Educar application.

The vulnerable parameter is cod_agenda, which lacks proper input validation. This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.


Technical Details

» Vulnerable Endpoint: /intranet/agenda.php

» Affected Parameter: cod_agenda

» Payload Used (Decoded):

' AND 4698=(SELECT 4698 FROM PG_SLEEP(5)) AND 'xiCO'='xiCO

Proof of Concept (PoC)

To reproduce the vulnerability:

» Access the vulnerable endpoint and click on: “Novo Compromisso”;

» Fill in the required fields and click on: “Save”;

» The system redirects to a URL like:

http://localhost:8086/intranet/agenda.php?cod_agenda=2&time=1755283

» Now, modify the: cod_agenda parameter with the payload:

/intranet/agenda.php?cod_agenda=2' AND 4698=(SELECT 4698 FROM PG_SLEEP(5)) AND 'xiCO'='xiCO

The server will take 5 seconds to respond, confirming that the SQL query was executed successfully:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-9531 Report


Impact

This SQL Injection vulnerability can be exploited to:

  • Access sensitive data stored in the database;
  • Enumerate database schemas, tables, and columns;
  • Modify, delete, or insert arbitrary records;
  • Steal user credentials and personal information;
  • Perform a denial of service (DoS) attack by triggering long query delays;
  • In some cases, escalate to Remote Code Execution (RCE).

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog