CVE-2025-48878 is a vulnerability classified under CWE-862 (Missing Authorization) affecting Combodo iTop, a web-based IT service management (ITSM) tool widely used for managing IT services and assets. The flaw exists in versions from 3.0.0-alpha up to 3.2.2, where an insecure direct object reference (IDOR) allows users assigned the Service desk agent profile to create ModuleInstallation objects without proper authorization checks. ModuleInstallation objects typically represent the installation of modules or extensions within iTop, and unauthorized creation could allow an attacker to alter the system's configuration or introduce unauthorized modules. The vulnerability does not require user interaction and can be exploited remotely over the network with low privileges (service desk agent level). The CVSS v3.1 base score is 4.3 (medium), reflecting limited impact on confidentiality and availability but a potential integrity impact. The flaw is fixed in version 3.2.2, and no public exploits or active exploitation have been reported to date. The vulnerability stems from missing authorization logic in the application code, allowing privilege escalation within the scope of the service desk agent role. This could lead to unauthorized changes in the ITSM environment, potentially undermining trust in service management processes and configurations.

For European organizations, this vulnerability poses a risk to the integrity of IT service management processes. Unauthorized creation of ModuleInstallation objects could allow attackers or malicious insiders to alter system configurations, potentially leading to mismanagement of IT assets or introduction of unauthorized modules that could be leveraged for further attacks. While confidentiality and availability are not directly impacted, the integrity compromise could disrupt IT operations and compliance with regulatory frameworks such as GDPR or ISO 27001, which require strict control over IT management systems. Organizations relying on Combodo iTop for critical ITSM functions may face operational risks and potential compliance issues if this vulnerability is exploited. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with less stringent internal controls or where service desk agents have broad access.

European organizations should upgrade all affected Combodo iTop instances to version 3.2.2 or later, where the authorization flaw is fixed. Until patching is possible, restrict the assignment of the Service desk agent profile to trusted personnel only and review role permissions to minimize unnecessary privileges. Implement application-layer access controls and monitor logs for unusual creation of ModuleInstallation objects. Conduct regular audits of ITSM configurations to detect unauthorized changes. Network segmentation and limiting access to the iTop web interface to trusted networks can reduce exposure. Additionally, organizations should consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting ModuleInstallation creation endpoints. Finally, maintain an incident response plan that includes procedures for ITSM compromise scenarios.