CVE-2025-49145
📋 TL;DR
A privilege escalation vulnerability in Combodo iTop allows authenticated users with webhook creation permissions (typically administrators) to execute arbitrary database operations, including dropping the entire database. This affects iTop versions before 2.7.13 and 3.2.2. The vulnerability stems from insufficient validation of callback signatures in webhook functionality.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Complete database destruction leading to permanent data loss, service disruption, and potential compromise of sensitive IT service management information.
Likely Case
Malicious administrator or compromised admin account drops critical database tables, causing extended downtime and data recovery challenges.
If Mitigated
Limited impact with proper access controls, database backups, and monitoring in place to detect and respond to unauthorized database operations.
🎯 Exploit Status
Exploitation requires authenticated access with webhook creation privileges. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.13 or 3.2.2
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download iTop 2.7.13 or 3.2.2 from official sources. 3. Follow the iTop upgrade documentation for your version. 4. Verify the callback signature verification is enabled in webhook configuration.
🔧 Temporary Workarounds
Restrict Webhook Permissions
allTemporarily remove webhook creation permissions from all users until patching is complete.
Edit iTop user profiles to remove 'Create Webhook' permission
Database Access Controls
allImplement database-level restrictions to prevent DROP operations from the iTop application user.
REVOKE DROP ON *.* FROM 'itop_user'@'localhost';
🧯 If You Can't Patch
- Implement strict principle of least privilege for iTop administrator accounts
- Enable comprehensive database backup and monitoring for DROP operations
🔍 How to Verify
Check if Vulnerable:
Check iTop version in the application interface or configuration files. Versions below 2.7.13 or 3.2.2 are vulnerable.Check Version:
Check the 'itop-version.php' file or application dashboard for version information.Verify Fix Applied:
Verify version is 2.7.13 or higher (for 2.x branch) or 3.2.2 or higher (for 3.x branch). Check that webhook callback signature verification is enabled in configuration.📡 Detection & Monitoring
Log Indicators:
- Unexpected DROP DATABASE or DROP TABLE statements in database logs
- Webhook creation or modification events from unexpected users
- Database connection errors or missing tables
Network Indicators:
- Unusual database traffic patterns from iTop application server
- Multiple failed database operations followed by DROP commands
SIEM Query:
source="database_logs" AND (DROP DATABASE OR DROP TABLE) AND source_ip="iTop_server_ip"