CVE-2025-49145 HIGH

CVE-2025-49145: iTop admin can drop iTop database using webhooks

Vendor Combodo
Product iTop
Weakness CWE-863 · Incorrect authorization
Published November 10, 2025
Last update November 10, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

What the vulnerability does

01Description

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.

Key dates

02Disclosure timeline

November 10, 2025 CVE published
November 10, 2025 Record updated