Home / Vulnerability Intelligence / CVE-2025-15602

CVE-2025-15602 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 9, 2026

Snipe-IT - Broken Access Control

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

Snipe-IT < 8.3.7 contains a broken access control caused by insufficient protection against mass assignment in user attributes, letting authenticated low-privileged users modify restricted fields and take over Super Admin accounts, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 1.9%(Probability of exploitation in next 30 days)

Impact

Low-privileged authenticated users can take over Super Admin accounts, gaining full administrative control of the Snipe-IT instance.

Mitigation

Upgrade to version 8.3.7 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2025-15602 - High (8.8) Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricte... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15602/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-15602
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 1.9%
Social Posts: 1

CWE

CWE-915

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1.9%Probability of exploitation in the next 30 days