Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24022

CVE-2025-24022: Combodo iTop RCE Vulnerability

CVE-2025-24022 is a remote code execution flaw in Combodo iTop that enables server code execution through the portal frontend. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-24022 Overview

CVE-2025-24022 affects iTop, a web-based IT Service Management (ITSM) tool maintained by Combodo. The vulnerability allows server-side code execution through the frontend of iTop's portal. An authenticated attacker with low privileges can leverage the portal to execute arbitrary code on the underlying server.

The issue is classified under [CWE-78] (Improper Neutralization of Special Elements used in an OS Command). Combodo addressed the flaw in iTop versions 2.7.12, 3.1.3, and 3.2.1. All prior releases remain vulnerable and should be upgraded immediately.

Critical Impact

Authenticated attackers can execute arbitrary code on the iTop server through the portal frontend, leading to full compromise of the ITSM platform and potentially connected infrastructure data.

Affected Products

  • Combodo iTop versions prior to 2.7.12
  • Combodo iTop 3.x versions prior to 3.1.3
  • Combodo iTop 3.2.x versions prior to 3.2.1

Discovery Timeline

  • 2025-05-14 - CVE-2025-24022 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24022

Vulnerability Analysis

The vulnerability exists in the user-facing portal component of iTop. The portal accepts input that is ultimately passed into server-side execution paths without sufficient neutralization of special elements used by the operating system. This results in command injection conditions [CWE-78].

Exploitation requires network access to the portal and a low-privilege authenticated session. The attack complexity is high, indicating the attacker must satisfy specific preconditions before injection succeeds. Successful exploitation impacts confidentiality, integrity, and availability of the iTop host and crosses a security scope boundary.

Because iTop typically holds configuration management database (CMDB) data, ticket records, and credentials for managed systems, a compromise extends beyond the application itself. Adversaries can pivot to integrated infrastructure, exfiltrate operational data, or tamper with ITSM workflows.

Root Cause

The root cause is insufficient sanitization of portal input that flows into OS command execution paths on the server. Combodo's fix commits 082d865efaf8a349b60fe3875e9c726c24f8a8bd, 37fc1a572380f2faa67fddea5b1a3a4ba72ed54e, and 5780f26817c2303c5bdd0ad16e21d4d959780b0b modify the affected code paths to remove the unsafe execution behavior.

Attack Vector

The attack vector is network-based. An authenticated portal user submits crafted input via the iTop portal frontend. The malicious payload reaches a server-side handler that executes it in the context of the iTop application process. No user interaction is required beyond the attacker's own portal session.

Technical details are described in the GitHub Security Advisory GHSA-rhv2-wfrr-4j2j and the associated commits.

Detection Methods for CVE-2025-24022

Indicators of Compromise

  • Unexpected child processes spawned by the PHP or web server process hosting iTop (e.g., sh, bash, cmd.exe, powershell.exe).
  • Outbound network connections from the iTop server to unfamiliar external hosts shortly after portal requests.
  • New or modified files within the iTop web root, particularly PHP files outside the standard installation tree.
  • Portal access logs showing unusual POST payloads from low-privilege accounts followed by error spikes.

Detection Strategies

  • Monitor web server access logs for portal endpoints receiving unusually long, encoded, or shell-metacharacter-laden parameters.
  • Alert on the iTop application user spawning shell interpreters or system utilities such as wget, curl, nc, or whoami.
  • Correlate authenticated portal sessions with subsequent process or filesystem anomalies on the iTop host.

Monitoring Recommendations

  • Enable verbose audit logging in iTop for portal actions and forward logs to a centralized SIEM for retention and correlation.
  • Baseline normal process trees for the web server hosting iTop and alert on deviations.
  • Track outbound traffic from the iTop server and restrict egress to only required endpoints.

How to Mitigate CVE-2025-24022

Immediate Actions Required

  • Upgrade iTop to version 2.7.12, 3.1.3, or 3.2.1 depending on the deployed major branch.
  • Audit portal user accounts and remove or disable unused low-privilege accounts that could be abused for exploitation.
  • Review iTop server logs and host telemetry for signs of prior exploitation before applying the patch.
  • Rotate any credentials, API tokens, or integration secrets stored in or accessible by the iTop instance.

Patch Information

Combodo released fixes in iTop 2.7.12, 3.1.3, and 3.2.1. The relevant fix commits are 082d865efaf8a349b60fe3875e9c726c24f8a8bd, 37fc1a572380f2faa67fddea5b1a3a4ba72ed54e, and 5780f26817c2303c5bdd0ad16e21d4d959780b0b. Refer to the Combodo iTop Security Advisory for vendor guidance.

Workarounds

  • Restrict portal access to trusted networks via firewall, VPN, or reverse proxy access control lists until patching is complete.
  • Place the iTop portal behind a web application firewall (WAF) configured to block OS command injection patterns.
  • Run the iTop web service under a least-privileged operating system account to limit the blast radius of any successful exploitation.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.