CVE-2022-24780 – CVE-2022-24780 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2022-24780?

CVE-2022-24780 has a CVSS score of 8.8 (HIGH). CVE-2022-24780 is a critical remote code execution vulnerability in Combodo iTop ITSM software. Authenticated users can inject TWIG template code through forged HTTP requests, allowing them to execute arbitrary commands on the server with web server privileges. This affects all iTop installations running versions before 2.7.6 or 3.0.0.

📋 TL;DR

CVE-2022-24780 is a critical remote code execution vulnerability in Combodo iTop ITSM software. Authenticated users can inject TWIG template code through forged HTTP requests, allowing them to execute arbitrary commands on the server with web server privileges. This affects all iTop installations running versions before 2.7.6 or 3.0.0.

💻 Affected Systems

Products:

Combodo iTop

Versions: All versions before 2.7.6 and all 3.x versions before 3.0.0

Operating Systems: Any OS running iTop (typically Linux with Apache/Nginx)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the user portal, but any valid user account can exploit this vulnerability

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, ransomware deployment, or complete system takeover

🟠

Likely Case

Unauthorized data access, privilege escalation, backdoor installation, and service disruption

🟢

If Mitigated

Limited impact due to network segmentation, but still potential for data breach within the iTop environment

🌐 Internet-Facing: HIGH - Web-based application with authenticated RCE allows attackers to gain full control of exposed servers

🏢 Internal Only: HIGH - Even internally accessible instances can be exploited by malicious insiders or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Packet Storm Security. Attack requires authenticated access but the exploit is straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.6 or 3.0.0

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54

Restart Required: Yes

Instructions:

1. Backup your iTop installation and database. 2. Download iTop version 2.7.6 or 3.0.0 from the official repository. 3. Follow the iTop upgrade documentation for your version. 4. Restart your web server after upgrade completion.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Immediately restrict access to iTop instances using network firewalls or WAF rules
Implement strict user account controls, review all accounts, and disable unnecessary ones

🔍 How to Verify

Check if Vulnerable:

Check iTop version in the web interface or examine the 'config-itop.php' file for version information

Check Version:

grep 'ITOP_VERSION' config-itop.php

Verify Fix Applied:

Verify version is 2.7.6 or higher for 2.x branch, or 3.0.0 or higher for 3.x branch

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to iTop endpoints containing TWIG syntax
Multiple failed authentication attempts followed by successful login and suspicious requests
Web server logs showing execution of system commands

Network Indicators:

HTTP requests containing '{{' or TWIG template injection patterns
Outbound connections from web server to unexpected destinations

SIEM Query:

source="web_server_logs" AND (url="*iTop*" AND (message="*{{*" OR message="*system(*" OR message="*exec(*"))

📊 Metadata

CVE ID: CVE-2022-24780

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3 Patch,Third Party Advisory
https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b Patch,Third Party Advisory
https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305 Patch,Third Party Advisory
https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54 Third Party Advisory
https://markus-krell.de/itop-template-injection-inside-customer-portal/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3 Patch,Third Party Advisory
https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b Patch,Third Party Advisory
https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305 Patch,Third Party Advisory
https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54 Third Party Advisory
https://markus-krell.de/itop-template-injection-inside-customer-portal/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24780, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

No official workarounds

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities