CVE-2025-64167 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in Combodo iTop, an IT service management web application. The vulnerability exists in versions prior to 2.7.13 and between 3.0.0-alpha and 3.2.2, specifically due to improper neutralization of input when editing the URL parameter. This flaw allows an attacker to inject malicious JavaScript code that executes in the context of the victim’s browser session when the crafted URL parameter is processed. The vulnerability stems from the use of export.php in older versions, which was deprecated and replaced by export-v2.php in fixed versions. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates that the attack can be launched remotely over the network without privileges, requires low attack complexity, and user interaction is necessary (e.g., clicking a malicious link). The impact on confidentiality is high because the attacker can steal sensitive session data or perform actions on behalf of the user, while integrity impact is low and availability is unaffected. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk due to the widespread use of iTop in IT service management environments. The vulnerability was publicly disclosed on November 10, 2025, and no official patches or advisories were linked in the provided data, but upgrading to versions 2.7.13 or 3.2.2 mitigates the issue by removing the vulnerable export.php endpoint and improving input handling.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive IT service management data and user sessions. Attackers exploiting this XSS flaw could hijack user sessions, steal authentication tokens, or perform unauthorized actions within the iTop application, potentially leading to data leakage or unauthorized configuration changes. Since iTop is often used to manage IT assets, incidents, and service requests, compromise could disrupt IT operations or expose sensitive internal information. The requirement for user interaction means phishing or social engineering campaigns could be used to trick employees into clicking malicious links, increasing the threat vector. Given the high CVSS score and the critical role of ITSM tools, organizations in sectors such as finance, healthcare, government, and critical infrastructure across Europe could face operational and reputational damage if exploited. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before active attacks emerge.

European organizations should immediately assess their iTop deployments and identify versions affected by this vulnerability. The primary mitigation is to upgrade to Combodo iTop versions 2.7.13 or 3.2.2, which have removed the vulnerable export.php endpoint and improved input sanitization. If upgrading is not immediately feasible, organizations should implement web application firewall (WAF) rules to detect and block suspicious URL parameters that could carry XSS payloads. Additionally, applying strict Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Security teams should conduct user awareness training to reduce the risk of users clicking on malicious links. Regular security testing and code reviews should be performed to detect similar input validation issues. Monitoring logs for unusual URL parameter usage and anomalous user behavior can help detect exploitation attempts early. Finally, coordinate with Combodo support for any available patches or guidance and subscribe to vulnerability advisories for timely updates.