Summary

A significant vulnerability has been identified in GLPI, a popular open-source IT asset management tool. This vulnerability, tracked as CVE-2025-24799 and CVE-2025-24801, allows an unauthenticated attacker to exploit SQL injection, potentially leading to remote code execution (RCE). The vulnerability is linked to the native inventory feature of GLPI, which is generally enabled and can be accessed without authentication.

Affected Systems and/or Applications:

The vulnerability has been confirmed in version 10.0.17, but earlier versions may also be susceptible. Systems exposed to the internet with inadequate database security measures are particularly vulnerable. Organizations utilizing GLPI are advised to check their current version and implement the latest security patches promptly.

Technical Details / Attack Overview

This vulnerability stems from inadequate sanitization of SQL queries in the GLPI agent, specifically within the handleAgent function located in /src/Agent.php, which is utilised for inventory purposes. Attackers can send specially crafted HTTP requests to inject harmful SQL commands, enabling them to retrieve sensitive data, escalate privileges, and, in some instances, execute arbitrary code remotely.

The attack typically follows a structured approach: the attacker sends an SQL injection payload, which is processed by the database, allowing unauthorized access. If the attacker can manipulate database functions or leverage user-defined functions, they may write and execute PHP code on the server, ultimately achieving RCE. This issue is particularly concerning because it requires no prior authentication, making it easily exploitable in unpatched systems.

Security vendors such as Tenable and Qualys are expected to release detection rules, and organizations should ensure their vulnerability scanners are up to date to detect this issue.

Temporary Workarounds and Mitigations

The most effective mitigation is to apply the official patch [GLPI-patch-10.0.18] issued by GLPI. If immediate patching is not possible, organizations should disable the native inventory feature [GLPI-disable-native-inventory-feature] and/or restrict external access to GLPI, allowing only trusted networks to interact with the application. Additionally, hardening database permissions and ensuring that GLPI runs with the least privileges necessary can reduce the impact of a successful attack. However, given the nature of this vulnerability, patching remains the only foolproof solution.

Detection Guidance

In case immediate patching is not possible, organizations should put Temporary Workarounds and Mitigations and additional monitoring of web server logs for unusual SQL queries or unexpected authentication attempts in place.

If immediate patching is not possible, organizations should establish temporary workarounds and mitigations, along with enhanced monitoring of web server logs for any unusual SQL queries or unexpected authentication attempts.

Security teams can also use Intrusion Detection and Prevention Systems (IDS/IPS) to identify suspicious database activities.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center will persist in monitoring the situation and will issue advisory updates as necessary. Clients enrolled in our vulnerability scanning services will receive pertinent results if any vulnerabilities are detected within the scope of the scans, as soon as a relevant plugin becomes available from the scan provider.

References

For more information, refer to the technical security article [lexfo-technical-article], including proof-of-concept exploits.
Organizations should apply the recommended patch [GLPI-patch-10.0.18] and stay informed through security bulletins. Additional details regarding the upcoming CVE reports, will be provided when it becomes available.
https://blog.lexfo.fr/glpi-sql-to-rce.html
https://glpi-project.org/glpi-10-0-18-is-available
https://github.com/glpi-project/glpi
https://glpi-agent.readthedocs.io/en/1.12/plugins/inventory-server-plugin.html#setup