CVE-2025-15602 is a vulnerability classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) affecting Snipe-IT versions prior to 8.3.7. The flaw arises because sensitive user attributes related to account privileges are insufficiently protected against mass assignment attacks. Specifically, an authenticated user with low privileges can craft malicious API requests that modify restricted fields of other user accounts, including the Super Admin account. By changing the Super Admin's email address and subsequently triggering a password reset, the attacker can gain full administrative control over the Snipe-IT instance. This vulnerability does not require elevated privileges beyond authentication, nor does it require user interaction, making it highly exploitable. The CVSS 4.0 base score is 8.7, reflecting its high severity due to network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability by enabling complete takeover of administrative functions. Although no public exploits are currently known, the vulnerability's nature and impact make it a critical risk for organizations using affected versions of Snipe-IT. No official patches were linked at the time of publication, but upgrading to version 8.3.7 or later is implied as a remediation step.

The exploitation of CVE-2025-15602 can have severe consequences for organizations using Snipe-IT for asset management. An attacker gaining Super Admin access can manipulate all data within the system, including sensitive asset information, user credentials, and configuration settings. This can lead to unauthorized data disclosure, data tampering, and disruption of asset management operations. The attacker could also create backdoors, add or remove users, and potentially pivot to other parts of the network if Snipe-IT is integrated with other systems. Given that Snipe-IT is often used in IT asset tracking and inventory management, compromise could disrupt IT operations and incident response capabilities. The vulnerability's ease of exploitation and high impact on confidentiality, integrity, and availability make it a critical risk, especially for organizations with large or sensitive IT infrastructures. Additionally, the lack of required user interaction and low privileges needed to exploit increase the likelihood of successful attacks once the vulnerability is known.

Organizations should immediately upgrade Snipe-IT to version 8.3.7 or later, where this vulnerability is addressed. If immediate upgrade is not possible, implement strict API access controls and monitor API usage for suspicious mass assignment attempts. Enforce strong authentication and authorization policies, ensuring that API endpoints validate and restrict modifications to sensitive user attributes. Employ network segmentation to limit access to the Snipe-IT instance only to trusted users and systems. Enable detailed logging and alerting on user attribute changes, especially those involving privileged accounts. Conduct regular audits of user accounts and permissions to detect unauthorized changes. Consider implementing multi-factor authentication for administrative accounts to mitigate the impact of credential compromise. Finally, stay informed about any official patches or advisories from Grokability, Inc. and apply them promptly.