Cyber Resilience

CVE-2025-15602

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15602 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Snipeitapp Snipe-It. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-15602 is a vulnerability in Snipe-IT versions prior to 8.3.7, where sensitive user attributes related to account privileges are insufficiently protected against mass assignment. This flaw, published on 2026-03-06, allows unauthorized modification of restricted user fields via API requests and is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H), mapped to CWE-915.

An authenticated low-privileged user can exploit the vulnerability by crafting a malicious API request to alter restricted fields on another user account, including the Super Admin account. The attacker can change the Super Admin's email address and then trigger a password reset, enabling full takeover of the account and resulting in complete administrative control over the Snipe-IT instance.

Advisories recommend upgrading to Snipe-IT version 8.3.7 or later to mitigate the issue, as detailed in the release notes at https://github.com/grokability/snipe-it/releases/tag/v8.3.7. Further information is available on the official Snipe-IT website at https://snipeitapp.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-leading-to-privilege-escalation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the…

more

Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Mass assignment flaw directly enables unauthorized modification of privileged user attributes (e.g., email) via API, facilitating account takeover and privilege escalation from low-privileged authenticated user to Super Admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44832Same product: Snipeitapp Snipe-It
CVE-2025-63601Same product: Snipeitapp Snipe-It
CVE-2026-44833Same product: Snipeitapp Snipe-It
CVE-2026-37709Same product: Snipeitapp Snipe-It
CVE-2026-48150Shared CWE-915
CVE-2026-45229Shared CWE-915
CVE-2026-34406Shared CWE-915
CVE-2026-34427Shared CWE-915
CVE-2026-34179Shared CWE-915
CVE-2026-6912Shared CWE-915

Affected Assets

snipeitapp
snipe-it
≤ 8.3.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations, preventing low-privileged users from modifying restricted fields like email and privileges on other user accounts via crafted API requests.

prevent

Requires validation of information inputs to API endpoints, directly mitigating mass assignment vulnerabilities by rejecting unauthorized updates to sensitive user attributes.

prevent

Manages user accounts to restrict modifications to privileged accounts, ensuring low-privileged users cannot alter Super Admin details leading to account takeover.

References