CVE-2025-48878 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2025-48878?

CVE-2025-48878 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated users with Service Desk Agent permissions in Combodo iTop to create ModuleInstallation objects without proper authorization. It affects iTop 3.x versions before 3.2.2, enabling privilege escalation through insecure direct object references.

📋 TL;DR

This vulnerability allows authenticated users with Service Desk Agent permissions in Combodo iTop to create ModuleInstallation objects without proper authorization. It affects iTop 3.x versions before 3.2.2, enabling privilege escalation through insecure direct object references.

💻 Affected Systems

Products:

Combodo iTop

Versions: 3.x versions prior to 3.2.2

Operating Systems: All platforms running iTop

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Service Desk Agent profile or equivalent permissions.

📦 What is this software?

Itop by Combodo

View all CVEs affecting Itop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could install malicious modules, potentially gaining administrative privileges, executing arbitrary code, or compromising the entire iTop instance.

🟠

Likely Case

Service desk agents could install unauthorized modules, modify system functionality, or gain elevated privileges beyond their intended role.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized module installations that can be detected and rolled back.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.2

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556

Restart Required: Yes

Instructions:

1. Backup your iTop instance and database. 2. Download iTop 3.2.2 or later from official sources. 3. Follow the iTop upgrade procedure for your deployment method. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Module Installation Permissions

all

Temporarily remove module installation capabilities from Service Desk Agent profiles

Modify user profile permissions in iTop administration interface to remove 'Module Installation' rights

🧯 If You Can't Patch

Implement strict access controls to limit which users can access module management interfaces
Enable detailed logging for all module installation attempts and monitor for unauthorized activity

🔍 How to Verify

Check if Vulnerable:

Check iTop version in administration panel or via setup/install.php. Versions 3.0.0 through 3.2.1 are vulnerable.

Check Version:

Check iTop version in web interface or examine config file for version information.

Verify Fix Applied:

Confirm version is 3.2.2 or later and test that Service Desk Agent users cannot create ModuleInstallation objects.

📡 Detection & Monitoring

Log Indicators:

Unauthorized attempts to create ModuleInstallation objects
Module installation events from non-admin users

Network Indicators:

POST requests to module installation endpoints from unauthorized users

SIEM Query:

source="iTop" AND (event="module_install" OR event="ModuleInstallation") AND user_role!="Administrator"

📊 Metadata

CVE ID: CVE-2025-48878

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: November 10, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48878, you might also want to check these: