CVE-2025-24021 is a medium severity vulnerability affecting Combodo iTop, a widely used web-based IT Service Management (ITSM) tool. The vulnerability is classified under CWE-862, indicating a Missing Authorization issue. Specifically, in versions prior to 2.7.12, between 3.0.0 and before 3.1.3, and between 3.2.0 and before 3.2.1, any user with portal access—meaning they have an account but not necessarily elevated privileges—can improperly set values on object fields that they should not have permission to modify. This lack of proper authorization checks allows these users to alter data integrity within the system. The vulnerability does not affect confidentiality or availability directly but impacts the integrity of data managed by iTop. The CVSS v3.1 score is 5.0 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and scope change (S:C). The scope change indicates that the vulnerability affects resources beyond the privileges of the initial user, potentially impacting other components or users. No known exploits are currently reported in the wild. The issue was addressed in versions 2.7.12, 3.1.3, and 3.2.1, which include proper authorization checks to prevent unauthorized field modifications.

For European organizations using Combodo iTop for ITSM, this vulnerability poses a risk to the integrity of their IT service management data. Unauthorized modification of object fields could lead to inaccurate asset records, misconfigured service tickets, or incorrect change management data. This can disrupt IT operations, cause misinformed decision-making, and potentially lead to compliance issues, especially in regulated industries such as finance, healthcare, and government sectors prevalent across Europe. While the vulnerability does not directly expose sensitive data or cause service outages, the integrity compromise could be leveraged by malicious insiders or attackers who gain low-level access to manipulate ITSM workflows, potentially masking malicious activities or causing operational disruptions. The lack of user interaction and low complexity of exploitation make it feasible for attackers with portal access to abuse this flaw. Given the critical role of ITSM tools in managing enterprise IT infrastructure, the impact on business continuity and regulatory compliance can be significant if exploited.

European organizations should immediately verify their iTop deployment versions and upgrade to the fixed versions 2.7.12, 3.1.3, or 3.2.1 as applicable. Beyond patching, organizations should audit portal user accounts to ensure that only authorized personnel have portal access, minimizing the attack surface. Implement strict role-based access controls (RBAC) within iTop to limit permissions to the minimum necessary. Regularly review and monitor logs for unusual modifications to object fields or unexpected changes in ITSM data. Employ network segmentation and access controls to restrict iTop portal access to trusted networks and users. Additionally, consider integrating iTop with centralized identity and access management (IAM) solutions to enforce multi-factor authentication and improve user privilege management. Conduct periodic security assessments and penetration tests focusing on authorization mechanisms within iTop to detect any residual weaknesses.