Hello,

This security advisory addresses the privilege escalation vulnerability via insecure regex in URL paths in ServiceDesk Plus which has been identified and rectified.

We strongly urge all customers to upgrade to the latest version of ServiceDesk Plus immediately.

CVE ID: CVE-2025-8309

Severity: High

Impact

Allows an authenticated, low-privileged user to take control of any account, including administrator accounts, potentially leading to data exposure and unauthorized actions.

What lead to the vulnerability?

The vulnerability was caused by overly permissive regular expression (regex) rules in URL mapping, which allowed for privilege escalation. This allowed for incorrect matching of servlet paths using wildcards, leading to the vulnerability.

This vulnerability is applicable only when:

This vulnerability allows a threat actor to target a user account that is not associated with an email address. However, this vulnerability has no impact if the local authentication is disabled or if the target user account has an associated email address.

Who is affected?

This vulnerability affects ServiceDesk Plus customers using versions 15100 and below.

How was the issue fixed?

Stricter URL path validation was implemented to prevent unauthorized access, and unused API servlet classes along with their URL mappings were removed.

How to find out whether you are affected

Click the Help button in the top-right corner of the ServiceDesk Plus web client and select About from the drop-down to see your current version. Your installation is vulnerable if your current version is 15100 or below.

What customers should do

Customers using versions 15100 and below can upgrade to the latest version (15110) using the appropriate migration path listed here.

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll free at +1.888.720.9500

 
We strongly recommend upgrading your ServiceDesk Plus to the latest build at the earliest. As per our Support policy, support will be provided only to builds that are one year old from the current date.

Important note: As always, make a copy of your entire ServiceDesk Plus installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all of your settings intact. If you are using Microsoft SQL Server as a back-end database, backup the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this vulnerability may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.