CVE-2025-26844 is a critical security vulnerability identified in Znuny, an open-source ticketing system derived from OTRS, up to version 7.1.3. The vulnerability arises because a cookie is set without the HttpOnly flag. The HttpOnly attribute is a security feature that prevents client-side scripts, such as JavaScript, from accessing cookies. Without this flag, cookies are exposed to cross-site scripting (XSS) attacks, allowing attackers to potentially steal session cookies, leading to session hijacking, unauthorized access, and privilege escalation. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker can remotely exploit this vulnerability without authentication or user interaction, potentially gaining full control over the affected system. The CWE associated is CWE-1004, which relates to improper cookie handling. Although no known exploits are currently reported in the wild and no patch links are provided, the critical nature of this vulnerability demands immediate attention. The lack of the HttpOnly flag on cookies can facilitate session theft and impersonation attacks, especially in web applications handling sensitive data or critical workflows, such as customer support and incident management platforms like Znuny.

For European organizations using Znuny for their ticketing and customer support operations, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, internal communications, and operational workflows. This could result in data breaches, disruption of support services, and potential compliance violations under regulations such as GDPR. The critical severity and ease of exploitation mean attackers can remotely compromise systems without user interaction or credentials, increasing the risk of widespread attacks. Organizations in sectors with high reliance on secure customer support platforms—such as finance, healthcare, and government—are particularly vulnerable. Additionally, compromised ticketing systems can be leveraged as pivot points for lateral movement within networks, escalating the impact beyond the initial breach. The absence of HttpOnly flags also increases the risk of session hijacking via XSS attacks, which are common in web environments, further amplifying the threat landscape for European entities.

Immediate mitigation steps include: 1) Applying any available patches or updates from Znuny as soon as they are released. Since no patch links are currently provided, organizations should monitor official Znuny channels for updates. 2) As a temporary workaround, administrators can configure web server or application-level controls to enforce the HttpOnly attribute on cookies, for example, by modifying cookie-setting headers or using reverse proxy rules. 3) Conduct thorough security assessments and penetration testing focusing on XSS vulnerabilities within the Znuny deployment to reduce the risk of cookie theft. 4) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, mitigating XSS exploitation. 5) Enhance monitoring and logging of authentication and session activities to detect anomalous behavior indicative of session hijacking. 6) Educate users and administrators about the risks of session theft and encourage the use of multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials. 7) Network segmentation and strict access controls should be enforced to limit lateral movement if a breach occurs. These measures combined will reduce the attack surface and mitigate the risk until an official patch is available.