CVE-2025-15602 is a vulnerability identified in Grokability, Inc.'s Snipe-IT asset management software, affecting all versions prior to 8.3.7. The root cause is an improper control over modification of dynamically-determined object attributes (CWE-915), specifically related to sensitive user account fields such as account privileges. The vulnerability allows an authenticated user with low privileges to craft malicious API requests that exploit mass assignment weaknesses to modify restricted fields of other user accounts. Notably, an attacker can alter the email address of the Super Admin account. Once the email is changed, the attacker can initiate a password reset process to gain full administrative access to the system. This attack vector requires no user interaction and can be executed remotely over the network, with low attack complexity and no need for elevated privileges beyond basic authentication. The vulnerability severely compromises the confidentiality, integrity, and availability of the Snipe-IT instance, potentially allowing complete takeover. The CVSS v4.0 score is 8.7 (high severity), reflecting the ease of exploitation and the critical impact on system security. No public exploits are currently known, but the vulnerability represents a significant risk to organizations relying on Snipe-IT for asset management.

The exploitation of CVE-2025-15602 can have devastating consequences for organizations using vulnerable versions of Snipe-IT. An attacker gaining Super Admin privileges can fully control the asset management system, allowing unauthorized access to sensitive asset data, modification or deletion of records, and disruption of asset tracking processes. This can lead to loss of data integrity, unauthorized disclosure of confidential information, and operational downtime. The compromise of administrative credentials also opens the door for further lateral movement within the organization's network, potentially escalating to broader system compromises. Since Snipe-IT is often used by IT and asset management teams, the impact extends to critical infrastructure management and compliance reporting. The vulnerability's ease of exploitation and high impact make it a significant risk for organizations globally, especially those with internet-facing Snipe-IT instances or weak internal network segmentation.

To mitigate this vulnerability, organizations should immediately upgrade all Snipe-IT instances to version 8.3.7 or later, where the issue has been addressed. In addition, implement strict API access controls and input validation to prevent mass assignment attacks. Review and harden authentication and authorization mechanisms to ensure that low-privileged users cannot modify sensitive account attributes. Employ network segmentation and firewall rules to restrict access to Snipe-IT APIs to trusted users and systems only. Monitor logs for unusual API requests or account modifications, especially changes to high-privilege accounts. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of account takeover via password reset. Regularly audit user privileges and conduct penetration testing focused on API security to detect similar vulnerabilities proactively.