CVE-2025-15602
📋 TL;DR
This mass assignment vulnerability in Snipe-IT allows authenticated low-privileged users to modify restricted user attributes, including those of Super Admin accounts. By changing the Super Admin's email and triggering a password reset, attackers can gain complete administrative control. All Snipe-IT instances running versions before 8.3.7 are affected.
💻 Affected Systems
- Snipe-IT
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Snipe-IT instance with administrative control, allowing data theft, system manipulation, and potential lateral movement to connected systems.
Likely Case
Privilege escalation leading to unauthorized administrative access, data exfiltration, and system configuration changes.
If Mitigated
Limited impact with proper access controls and monitoring, potentially detected before full compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has any valid user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.7
Vendor Advisory: https://github.com/grokability/snipe-it/releases/tag/v8.3.7
Restart Required: Yes
Instructions:
1. Backup your Snipe-IT database and files. 2. Update to version 8.3.7 or later via git pull or package update. 3. Run database migrations if required. 4. Restart web server services.
🔧 Temporary Workarounds
API Rate Limiting
allImplement strict rate limiting on API endpoints to slow down potential mass assignment attacks.
Configure web server rate limiting (e.g., nginx limit_req, Apache mod_ratelimit)
Enhanced Monitoring
allMonitor for unusual API requests modifying user attributes, especially email changes.
Set up alerts for POST/PUT requests to user API endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Snipe-IT from critical systems
- Enforce multi-factor authentication for all user accounts and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Snipe-IT version in web interface footer or via command line in installation directory.Check Version:
cd /path/to/snipe-it && php artisan --versionVerify Fix Applied:
Confirm version is 8.3.7 or later and test API endpoints for mass assignment protection.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests modifying user email fields
- Multiple failed login attempts followed by password reset requests
- User privilege changes from low to admin
Network Indicators:
- Bursts of API requests to user modification endpoints
- Unusual patterns in authentication traffic
SIEM Query:
source="snipe-it-logs" AND (user_email_changed OR admin_privilege_modified)