Auth bypass in Combodo Itop
CVE-2025-24021
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain…
Vulnerability class: Broken Access Control
EPSS: 0.002 (12.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N.
Affected products
- Combodo Itop — versions < 2.7.12, >= 3.0.0, < 3.1.3, >= 3.2.0, < 3.2.1
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-24021?
- CVE-2025-24021 is a medium-severity vulnerability in Combodo Itop, classified under Missing Authorization. CVSS score: 5.0/10. Published 2025-05-14.
- How severe is CVE-2025-24021?
- Medium severity. CVSS v3 base score is 5.0 out of 10.
- Is CVE-2025-24021 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.