CVE-2025-24785 is a medium-severity vulnerability affecting Combodo iTop version 3.2.0, a web-based IT Service Management (ITSM) tool widely used for managing IT infrastructure and services. The vulnerability arises from improper input validation (CWE-20) in the handling of the 'layout_class' parameter when saving dashboard configurations. An attacker can craft a malicious URL that triggers a PHP error on the server side. This error causes the dashboard's start page to crash for the next user who attempts to load it, resulting in a denial of service (DoS) condition. The issue is resolved in version 3.2.1 by adding validation checks on the 'layout_class' input before saving the dashboard. The CVSS v3.1 base score is 4.3, reflecting a network attack vector with low complexity, no privileges required, but requiring user interaction, and impacting availability only. There is no known exploitation in the wild as of the published date. The vulnerability does not affect confidentiality or integrity but can disrupt availability of the dashboard, potentially impacting ITSM operations and user productivity.

For European organizations relying on Combodo iTop 3.2.0 for IT service management, this vulnerability could cause temporary denial of service on the dashboard start page, hindering access to critical ITSM functionalities. This disruption may delay incident management, change requests, and other IT operations, potentially affecting business continuity and operational efficiency. While the impact is limited to availability and does not compromise sensitive data, the dashboard is a central interface for IT staff, so its unavailability can cause operational bottlenecks. Organizations with high dependency on iTop for service management, especially in sectors like finance, healthcare, and public administration, could face increased operational risk. The requirement for user interaction (loading a malicious URL) means social engineering or phishing could be used to trigger the issue, increasing the risk of targeted attacks.

European organizations should promptly upgrade Combodo iTop installations from version 3.2.0 to 3.2.1 or later, where the input validation flaw is fixed. Until patching is possible, implement web application firewall (WAF) rules to detect and block suspicious requests containing malformed or unexpected 'layout_class' parameters. Restrict dashboard access to trusted users and networks to reduce exposure. Educate users about the risk of clicking untrusted URLs that may trigger the vulnerability. Regularly monitor application logs for PHP errors or unusual dashboard crashes indicative of exploitation attempts. Additionally, conduct internal audits of ITSM tool versions and configurations to ensure compliance with security best practices. Employ network segmentation to isolate ITSM tools from general user networks to limit attack surface.