CVE-2025-49145 is an incorrect authorization vulnerability (CWE-863) affecting Combodo iTop, a widely used web-based IT service management platform. The flaw exists in versions prior to 2.7.13 and from 3.0.0-alpha up to but not including 3.2.2. Users with sufficient privileges to create webhooks—primarily administrators—can exploit this vulnerability to execute destructive operations, specifically dropping the backend database. The root cause is the lack of proper verification of webhook callback signatures, allowing attackers to craft malicious webhook requests that bypass authorization controls. This leads to a critical impact on data integrity and availability, as the database can be completely deleted. The vulnerability has a CVSS v3.1 score of 8.7, indicating high severity, with an attack vector over the network, low attack complexity, required privileges at a high level, no user interaction, and scope change. The fix implemented in versions 2.7.13 and 3.2.2 involves verifying the authenticity of webhook callbacks via signature validation, preventing unauthorized destructive commands. Although no known exploits are reported in the wild yet, the potential damage and ease of exploitation by privileged users make this a significant threat. Organizations relying on iTop for ITSM should prioritize upgrading to patched versions to prevent data loss and service disruption.

For European organizations, the impact of CVE-2025-49145 can be severe. iTop is often used to manage IT services, assets, and workflows; a successful exploit can result in the deletion of critical databases, causing loss of service management data, disruption of IT operations, and potential downtime. This can affect incident response, change management, and asset tracking, leading to operational inefficiencies and increased recovery costs. Additionally, loss of data integrity and availability can impact compliance with European data protection regulations such as GDPR, especially if personal or sensitive data is managed within iTop. The disruption could also affect sectors reliant on ITSM for critical infrastructure, including healthcare, finance, and government agencies. Recovery from database loss may require extensive restoration efforts and could expose organizations to reputational damage. Given that exploitation requires administrative privileges, insider threats or compromised administrator accounts pose a significant risk vector. The vulnerability’s network accessibility further increases the risk of remote exploitation if administrative credentials are compromised.

To mitigate CVE-2025-49145, European organizations should immediately upgrade Combodo iTop to versions 2.7.13 or 3.2.2 or later, where the vulnerability is patched by enforcing webhook callback signature verification. Until upgrades are applied, restrict webhook creation permissions strictly to trusted administrators and monitor webhook configurations for suspicious activity. Implement strong access controls and multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. Regularly audit webhook usage and logs to detect unauthorized or anomalous webhook calls. Network segmentation and firewall rules should limit access to the iTop management interface to trusted IP addresses. Backup iTop databases frequently and verify backup integrity to ensure rapid recovery in case of data loss. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block malformed webhook requests. Educate administrators about the risks of this vulnerability and the importance of secure webhook management. Finally, maintain up-to-date vulnerability scanning and monitoring to detect any attempts to exploit this or similar vulnerabilities.