CVE-2025-24026 is a vulnerability identified in Combodo's iTop, a web-based IT Service Management (ITSM) tool widely used for managing IT infrastructure and services. The vulnerability is classified under CWE-1333, which pertains to inefficient regular expression complexity leading to a Regular Expression Denial of Service (ReDoS). Specifically, versions of iTop prior to 3.2.1 contain a regular expression that can be exploited to cause excessive CPU consumption, thereby degrading or denying service availability. The root cause is the use of a variable in a regular expression that, under certain crafted inputs, triggers catastrophic backtracking or similar inefficiencies. This results in the server becoming unresponsive or significantly slowed down. The vendor addressed this issue in version 3.2.1 by removing the affected variable from the regular expression, effectively mitigating the risk. Additionally, a configuration workaround exists: defining the iTop app_root_url in the configuration file prevents exploitation of the ReDoS vulnerability. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are reported in the wild as of the publication date. The vulnerability does not require user interaction but does require an authenticated user with low privileges, which is typical in ITSM environments where users have some level of access to the application. The vulnerability’s impact is primarily on availability, potentially causing denial of service conditions that could disrupt IT service management operations.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on iTop for critical IT service management functions. A successful ReDoS attack could lead to service outages or degraded performance of the iTop server, disrupting IT operations, incident management, and service delivery. This disruption could cascade, affecting business continuity and operational efficiency. Since ITSM tools often integrate with other IT infrastructure components, prolonged unavailability could delay incident response and resolution, increasing downtime and operational risk. The vulnerability’s requirement for low-privilege authentication means that insider threats or compromised user accounts could be leveraged to exploit this issue. European organizations with strict service level agreements (SLAs) and regulatory requirements for IT service availability (such as those under GDPR mandates for operational resilience) may face compliance and reputational risks if the vulnerability is exploited. However, the absence of confidentiality or integrity impact limits the risk of data breaches directly from this vulnerability. The medium severity score suggests that while the vulnerability is not critical, it warrants timely remediation to avoid potential denial of service scenarios that could impair IT service management capabilities.

To mitigate this vulnerability, European organizations should prioritize upgrading iTop installations to version 3.2.1 or later, where the vulnerable regular expression has been corrected. If immediate upgrading is not feasible, organizations should ensure that the app_root_url parameter is explicitly defined in the iTop configuration file, as this configuration change prevents exploitation of the ReDoS vulnerability. Additionally, organizations should enforce strict access controls and monitoring on iTop user accounts, limiting the number of users with authentication privileges to reduce the risk of exploitation. Implementing web application firewalls (WAFs) with rules to detect and block suspicious input patterns that could trigger ReDoS attacks may provide an additional layer of defense. Regular monitoring of server performance metrics and logs can help detect early signs of ReDoS exploitation attempts. Finally, organizations should incorporate this vulnerability into their vulnerability management and patching processes to ensure timely updates and configuration reviews.