A high-severity vulnerability has been identified in multiple Combodo products, including the iTop IT service management tool. This flaw could allow a remote, unauthenticated attacker to take full control of the affected server, posing a significant risk of data breach, service disruption, and further network compromise. Immediate patching is required to mitigate this critical threat to IT operations and infrastructure data.

This vulnerability is a critical remote code execution (RCE) flaw within the application's data import functionality. An unauthenticated remote attacker can craft a specially designed XML or CSV file and upload it to a publicly accessible API endpoint. Due to improper input validation and unsafe processing of the uploaded file, the attacker can embed and execute arbitrary commands with the privileges of the web server user, leading to a complete compromise of the underlying server.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation would grant an attacker complete control over the iTop server, which often acts as a central repository for an organization's IT asset data, incident tickets, change management records, and user information. The potential consequences include theft of sensitive administrative credentials, manipulation or deletion of critical IT service data, widespread operational disruption, and using the compromised server as a pivot point to launch further attacks against the internal network. This could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Apply vendor security updates immediately across all affected Combodo iTop instances. Prioritize patching for systems that are exposed to the internet. After patching, review web server and application access logs for any signs of compromise or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes inspecting web server logs for unusual POST requests to API endpoints, particularly those related to file or data imports. Monitor for suspicious child processes spawned by the web server process (e.g., sh, bash, powershell.exe) and unexpected outbound network connections from the iTop server to unknown IP addresses.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. Place the application behind a Web Application Firewall (WAF) with rules configured to inspect and block malicious file uploads or suspicious payloads in API traffic. Restrict access to the iTop application at the network level, allowing connections only from trusted internal IP ranges or requiring users to connect via a VPN.

Public Exploit Available: false

Due to the high severity (CVSS 8.8) and the risk of unauthenticated remote code execution, this vulnerability represents a critical threat to the organization. All system administrators should treat the remediation of this vulnerability as their highest priority. While this vulnerability is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion. Organizations are strongly advised to apply the vendor-supplied patches to all affected iTop instances without delay to prevent a potential compromise.