CVE-2025-24022
📋 TL;DR
This vulnerability allows remote code execution through iTop's web portal frontend. Attackers can execute arbitrary commands on the server by exploiting improper input sanitization. All iTop installations running versions before 2.7.12, 3.1.3, or 3.2.1 are affected.
💻 Affected Systems
- iTop (IT Service Management tool)
📦 What is this software?
Itop by Combodo
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Server compromise leading to data theft, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, but still potential for service disruption if exploited.
🎯 Exploit Status
Based on CWE-78 (OS Command Injection) and CVSS 8.5, exploitation is likely straightforward once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.12, 3.1.3, or 3.2.1
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download the patched version from official iTop repository. 3. Follow iTop upgrade documentation for your version. 4. Restart web server services. 5. Verify the fix by checking version.
🔧 Temporary Workarounds
Disable Portal Access
allTemporarily disable iTop portal functionality to prevent exploitation through frontend.
# Modify iTop configuration to disable portal
# Edit configuration files to restrict portal access
Web Application Firewall Rules
allImplement WAF rules to block OS command injection patterns.
# Example ModSecurity rule: SecRule ARGS "@rx [;&|`$()]" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate iTop servers from critical systems
- Deploy web application firewall with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check iTop version in administration panel or by examining version files in installation directory.Check Version:
# Check version in iTop admin panel or look for version.txt in installation directoryVerify Fix Applied:
Confirm version is 2.7.12, 3.1.3, or 3.2.1 or higher. Test portal functionality to ensure it works without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in web server logs
- Suspicious POST/GET requests to portal endpoints with shell metacharacters
- Unexpected process execution from web server user
Network Indicators:
- HTTP requests containing shell metacharacters (&, ;, |, `, $)
- Unusual outbound connections from web server to external systems
SIEM Query:
source="web_server" AND (url="*portal*" AND (method="POST" OR method="GET") AND (content="*;*" OR content="*&*" OR content="*|*" OR content="*`*" OR content="*$(*"))🔗 References
- https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd
- https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e
- https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b
- https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j
