A critical security flaw in Combodo iTop, a widely adopted IT service management platform, could allow attackers to achieve remote code execution (RCE) and gain full control over affected systems.

Tracked as CVE-2025-47286, this vulnerability resides within the software's backup creation functionality. It poses a significant risk to organizations, as it could be exploited by an authenticated administrator -- either a malicious insider or an external attacker who has compromised an administrative account -- to execute arbitrary commands on the server. The flaw affects iTop versions prior to 2.7.13 and 3.2.2.

Combodo iTop, a prominent web-based solution, helps businesses manage their IT infrastructure, assets, and services, making it a central component for many organizations' operational continuity. The vulnerability, identified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), permits an authenticated administrator to alter the iTop instance's configuration, leading directly to the execution of arbitrary code on the hosting server. This method of compromise bypasses typical security controls by leveraging a legitimate administrative function for malicious purposes. The Common Vulnerability Scoring System (CVSS) v4.0 assigned a high severity score of 8.6, underscoring the potential for significant damage if exploited.

The ability to achieve remote code execution is considered a critical security flaw, as it grants attackers extensive control over a compromised system. In the context of an IT service management tool like iTop, this could translate into unauthorized access to sensitive company data, disruption of essential IT operations, or even the deployment of further malicious software across the network. Combodo, the developer of iTop, has addressed this vulnerability by releasing patched versions 2.7.13 and 3.2.2. These updates incorporate crucial fixes that properly escape and validate configuration parameters, thereby preventing the execution of malicious commands and securing the system against this specific attack vector. The security advisory, detailing the fix, can be found on GitHub.

Given the potential for severe operational impact and data compromise, organizations relying on Combodo iTop are strongly advised to prioritize and implement these updates immediately to safeguard their critical IT infrastructure and maintain the integrity of their enterprise systems.