CVE-2025-26847 is a critical vulnerability identified in Znuny versions prior to 7.1.5. Znuny is an open-source ticketing and customer support system widely used for IT service management. The vulnerability arises during the generation of support bundles, which are diagnostic packages containing system information and logs intended to assist in troubleshooting and support. In this case, the issue is that not all passwords are properly masked or redacted within these support bundles. This means sensitive credentials could be exposed in plaintext within files that may be shared with support personnel or potentially intercepted by unauthorized parties. The CVSS 3.1 score of 9.1 reflects a critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), but the impact on confidentiality is high (C:H), while integrity and availability impacts are none (I:N, A:H). This indicates that an attacker can remotely obtain sensitive password information without authentication or user interaction, potentially leading to further compromise of the system or connected infrastructure. The CWE-521 classification relates to weak or insufficient password masking or protection mechanisms. Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact make this a significant threat. The lack of patch links suggests that users should urgently update to Znuny 7.1.5 or later once available to remediate this issue.

For European organizations using Znuny for IT service management or customer support, this vulnerability poses a serious risk to confidentiality. Exposure of passwords in support bundles could lead to unauthorized access to internal systems, escalation of privileges, or lateral movement within networks. Given that support bundles are often shared with third-party vendors or support teams, the risk extends beyond the immediate organization. Confidential data leakage could violate GDPR requirements, leading to regulatory penalties and reputational damage. The critical CVSS score and network exploitability mean attackers can remotely retrieve sensitive credentials without authentication, increasing the likelihood of compromise. Additionally, the availability impact is high, indicating that exploitation could disrupt service operations, which is particularly concerning for organizations relying on Znuny for critical ITSM functions. Overall, this vulnerability could undermine trust in support processes and expose organizations to data breaches and operational disruptions.

European organizations should take immediate steps to mitigate this vulnerability. First, they should verify their Znuny version and plan to upgrade to version 7.1.5 or later as soon as it is released, as this will contain the necessary fixes to properly mask passwords in support bundles. Until the patch is applied, organizations should restrict access to support bundles strictly to trusted personnel and avoid sharing them externally. Implementing encryption for support bundles during storage and transmission can reduce exposure risk. Additionally, organizations should audit existing support bundles for exposed credentials and rotate any passwords or secrets found to be compromised. Monitoring network traffic and logs for unusual access patterns related to support bundle generation or retrieval is also recommended. Finally, organizations should review their internal policies on handling diagnostic data to ensure sensitive information is protected and consider using alternative diagnostic methods that do not expose passwords.