CVE-2025-15602
Published: 06 March 2026
Summary
CVE-2025-15602 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Snipeitapp Snipe-It. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access authorizations, preventing low-privileged users from modifying restricted fields like email and privileges on other user accounts via crafted API requests.
Requires validation of information inputs to API endpoints, directly mitigating mass assignment vulnerabilities by rejecting unauthorized updates to sensitive user attributes.
Manages user accounts to restrict modifications to privileged accounts, ensuring low-privileged users cannot alter Super Admin details leading to account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Mass assignment flaw directly enables unauthorized modification of privileged user attributes (e.g., email) via API, facilitating account takeover and privilege escalation from low-privileged authenticated user to Super Admin.
NVD Description
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the…
more
Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
Deeper analysisAI
CVE-2025-15602 is a vulnerability in Snipe-IT versions prior to 8.3.7, where sensitive user attributes related to account privileges are insufficiently protected against mass assignment. This flaw, published on 2026-03-06, allows unauthorized modification of restricted user fields via API requests and is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H), mapped to CWE-915.
An authenticated low-privileged user can exploit the vulnerability by crafting a malicious API request to alter restricted fields on another user account, including the Super Admin account. The attacker can change the Super Admin's email address and then trigger a password reset, enabling full takeover of the account and resulting in complete administrative control over the Snipe-IT instance.
Advisories recommend upgrading to Snipe-IT version 8.3.7 or later to mitigate the issue, as detailed in the release notes at https://github.com/grokability/snipe-it/releases/tag/v8.3.7. Further information is available on the official Snipe-IT website at https://snipeitapp.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-leading-to-privilege-escalation.
Details
- CWE(s)