Combodo iTop

Main article: IT Service Management (ITSM)

iTop is an open-source product with CDMB (configuration management database) and ITSM functionality.

2025: Elimination of a vulnerability that allows remote execution of commands in the OS

PT SWARM expert Maxim Ilyin helped fix a vulnerability in the open source web application iTop, designed to automate IT infrastructure management and ensure uninterrupted service operation. Exploiting the vulnerability could allow an attacker to remotely execute commands on the operating system and subsequently penetrate the company's internal infrastructure or continue to move across the network. The project developer was notified of the threat as part of a responsible disclosure policy and issued an update. Positive Technologies announced this on November 21, 2025.

Vulnerability PT-2025-46182 [1] (CVE-2025-47286, BDU: 2025-06926), which affected iTop versions younger than 2.7.13 and 3.2.2, respectively, is estimated at 8.6 points out of 10 on the CVSS 4.0 scale, which corresponds to a high level of threat. For a successful attack with this vulnerability, it would be enough for an attacker to find a user password with administrative rights, after which he could remotely execute arbitrary code. The breach potentially opened up access to the intruder's internal infrastructure and company data.

The iTop web application should be upgraded to version at least 2.7.13 or 3.2.2 as soon as possible to address the security issue. If the fix cannot be downloaded, the Positive Technologies expert recommends removing the system from the external perimeter of the organization, replacing employee passwords with complex ones and enabling multifactor authentication. These measures will reduce the risk that an attacker will be able to gain unauthorized access to the system.

iTop is in demand, with the app added to the favorites of nearly 1,000 users and has more than 250 copies of the repository on the web service. GitHub

To exploit the vulnerability, an attacker would first need to establish administrative access to the iTop software. Hypothetically, he could choose a user login and password or find a system in which the application is not fully installed. In the second case, the offender could complete the installation himself and assign an administrator password. Having taken possession of elevated privileges, an attacker would be able to start a backup procedure, during which he could execute arbitrary code.

Successful exploitation of the vulnerability could allow an attacker to gain initial access to the company's internal infrastructure or help advance through it, "said Maxim Ilyin, a specialist in penetration testing at Positive Technologies. - Once in the corporate segment of the internal network, an attacker would gain access to confidential data of the organization. Subsequently, the offender could hypothetically encrypt sensitive information to demand a ransom.

2016: iTop 2.2.1

On February 10, 2016, Combodo announced the release of a modified release of iTop 2.2.1^[1].

Screenshot of the software window (2015)

iTop helps to organize a technical support service (helpdesk), store information about equipment and assets (networks, licenses, etc.) and generate reports. The source code is written in PHP and MySQL is used as a database. The product license is GNU Affero GPL v3.

In the release of iTop version 2.2.1, error fixes were made (many files in tmp for backups with errors, freezing the inscription "A restore is running. Please wait..., "zeros at the beginning of the lines when exporting to Excel, etc.), changes have been made that affect the support and synchronization module with e-mail.

Notes