CVE-2025-47286 – This vulnerability allows administrators in Com... (How to Fix)

Q: What is the severity of CVE-2025-47286?

CVE-2025-47286 has a CVSS score of 7.2 (HIGH). This vulnerability allows administrators in Combodo iTop to execute arbitrary code on the server by editing the instance configuration. It affects iTop versions before 2.7.13 and 3.2.2, requiring administrator privileges for exploitation.

📋 TL;DR

This vulnerability allows administrators in Combodo iTop to execute arbitrary code on the server by editing the instance configuration. It affects iTop versions before 2.7.13 and 3.2.2, requiring administrator privileges for exploitation.

💻 Affected Systems

Products:

Combodo iTop

Versions: All versions prior to 2.7.13 and 3.2.2

Operating Systems: All platforms running iTop

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privileges to exploit. Affects both iTop 2.x and 3.x branches.

📦 What is this software?

Itop by Combodo

View all CVEs affecting Itop →

Itop by Combodo

View all CVEs affecting Itop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with complete administrative control, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Administrator account compromise leading to unauthorized code execution, configuration changes, and potential data manipulation.

🟢

If Mitigated

Limited impact due to proper access controls and monitoring, with only authorized administrators able to exploit.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator access to modify configuration parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.13 or 3.2.2

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c

Restart Required: Yes

Instructions:

1. Backup your iTop instance and database. 2. Download and install iTop version 2.7.13 (for 2.x branch) or 3.2.2 (for 3.x branch). 3. Follow the official upgrade procedure. 4. Restart the web server.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit the number of administrator accounts and implement strict access controls.

Configuration File Monitoring

linux

Implement file integrity monitoring on iTop configuration files.

# Example for Linux using auditd
sudo auditctl -w /var/www/html/iTop/conf/production/config-itop.php -p wa -k itop_config

🧯 If You Can't Patch

Implement strict least-privilege access controls for administrator accounts
Enable comprehensive logging and monitoring of configuration changes

🔍 How to Verify

Check if Vulnerable:

Check iTop version in the web interface or by examining the version file.

Check Version:

Check the file 'version.php' in the iTop installation directory or view the version in the web interface footer.

Verify Fix Applied:

Verify the installed version is 2.7.13 or higher for 2.x branch, or 3.2.2 or higher for 3.x branch.

📡 Detection & Monitoring

Log Indicators:

Unusual configuration file modifications
Unexpected process execution from web server context
Administrator account activity outside normal patterns

Network Indicators:

Unusual outbound connections from the iTop server
Unexpected command and control traffic

SIEM Query:

source="iTop_logs" AND (event="config_modified" OR event="admin_action")

📊 Metadata

CVE ID: CVE-2025-47286

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 0.11% exploit probability (29.9th percentile)

Published: November 10, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47286, you might also want to check these: