CVE-2025-24969 is a medium severity vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Combodo's iTop, a web-based IT Service Management (ITSM) tool. The vulnerability exists in versions prior to 3.2.1, where a portal user can manipulate the picture ID parameter in the URL to view other users' contact pictures without proper authorization checks. This flaw allows unauthorized disclosure of user images by exploiting insufficient access control mechanisms. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, but it requires the attacker to have some level of privileges (PR:L - privileges required are low). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially authorized scope. The impact is limited to confidentiality (C:L), with no impact on integrity or availability. The vendor has released version 3.2.1 to patch this issue. No known exploits are currently reported in the wild. The vulnerability highlights a failure in enforcing proper authorization checks on user-controlled keys in URL parameters, a common web application security weakness that can lead to unauthorized information disclosure.

For European organizations using iTop versions prior to 3.2.1, this vulnerability poses a risk of unauthorized disclosure of user contact pictures, which may include sensitive or personally identifiable information (PII). While the direct impact on confidentiality is limited to images, such information could be leveraged in social engineering or reconnaissance activities by attackers targeting the organization. In regulated environments within Europe, such as those governed by GDPR, unauthorized exposure of personal data—even images—can lead to compliance violations and potential fines. Additionally, the vulnerability could undermine user trust in the ITSM platform and potentially expose internal organizational structure or personnel details. Although the vulnerability does not affect system integrity or availability, the confidentiality breach could be a stepping stone for more targeted attacks if combined with other vulnerabilities or insider threats.

European organizations should promptly upgrade all instances of Combodo iTop to version 3.2.1 or later, where the vulnerability has been patched. Until the upgrade is applied, organizations should implement strict access control policies on the portal to limit user privileges and restrict access to sensitive user information. Monitoring and logging access to user profile pictures and related endpoints can help detect suspicious activity. Additionally, organizations should review URL parameter handling and enforce server-side authorization checks to prevent unauthorized data access. Conducting internal security assessments and penetration tests focusing on authorization bypass vulnerabilities in web applications like iTop is recommended. Finally, raising user awareness about the sensitivity of personal data and enforcing strong authentication mechanisms can reduce the risk of exploitation.