CVE-2025-24021 is a medium-severity vulnerability identified in Combodo's iTop, a web-based IT Service Management (ITSM) tool widely used for managing IT infrastructure and services. The vulnerability is classified under CWE-862, indicating a Missing Authorization issue. Specifically, in versions prior to 2.7.12, between 3.0.0 and before 3.1.3, and between 3.2.0 and before 3.2.1, any user with portal access—meaning any authenticated user with a portal account—can set or modify object field values that they should not be authorized to change. This lack of proper authorization checks allows users to escalate their privileges within the application context by altering data fields that are typically restricted. The vulnerability does not require user interaction beyond having a valid portal account and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and the attacker must have low privileges (PR:L) but no additional user interaction is needed (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to integrity (I:L), with no direct confidentiality or availability impact. The issue was addressed in versions 2.7.12, 3.1.3, and 3.2.1 by implementing proper authorization checks to restrict unauthorized field modifications. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a potential vector for unauthorized data manipulation within ITSM environments.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on iTop for IT service management and asset tracking. Unauthorized modification of object fields could lead to inaccurate IT asset records, misconfiguration of services, or manipulation of incident and change management data. This can disrupt IT operations, cause compliance issues, and potentially lead to further security incidents if attackers alter critical configuration data or escalate privileges within the ITSM system. The integrity compromise could undermine trust in IT management processes and complicate incident response efforts. While confidentiality and availability are not directly affected, the integrity loss alone can have cascading effects on operational reliability and regulatory compliance, particularly under GDPR and other European data protection frameworks where accurate record-keeping is essential.

European organizations using iTop should immediately verify their deployed versions and upgrade to the fixed releases: 2.7.12, 3.1.3, or 3.2.1 as applicable. Beyond patching, organizations should audit portal user accounts to ensure that only necessary personnel have portal access, minimizing the attack surface. Implement strict role-based access controls (RBAC) within iTop to limit field modification permissions to authorized roles only. Regularly review and monitor audit logs for unusual changes to object fields, enabling early detection of unauthorized modifications. Network segmentation can be employed to restrict access to the iTop portal to trusted internal networks or VPN users. Additionally, consider implementing web application firewalls (WAF) with custom rules to detect and block anomalous requests attempting unauthorized field changes. Finally, integrate iTop security monitoring into the organization's broader security information and event management (SIEM) system for comprehensive oversight.