CVE-2025-21619
Published: 18 March 2025
Summary
CVE-2025-21619 is a critical-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by upgrading to GLPI 10.0.18 directly eliminates the SQL injection vulnerability in rules configuration forms.
Information input validation on rules configuration forms prevents execution of malicious SQL queries.
Least privilege enforcement restricts access to vulnerable administrator rules configuration forms, reducing exploitation opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the network-accessible GLPI web application directly enables adversaries to exploit the public-facing application (T1190) by submitting crafted inputs to the rules configuration forms, resulting in arbitrary database access and potential full compromise.
NVD Description
GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
Deeper analysisAI
CVE-2025-21619 is a SQL injection vulnerability (CWE-89) in GLPI, a free asset and IT management software package. The flaw exists in the rules configuration forms, allowing malicious SQL queries to be executed. It affects GLPI versions prior to 10.0.18 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
An administrator user can exploit this vulnerability by submitting crafted input through the rules configuration forms, enabling arbitrary SQL injection. Despite the CVSS metrics suggesting no privileges are required (PR:N), the vulnerability description specifies exploitation by an administrator, likely requiring authenticated access to those forms. Successful exploitation could allow attackers to read, modify, or delete database contents, potentially leading to full compromise of the GLPI instance.
The official GitHub Security Advisory (GHSA-pcmc-xv3g-hjxv) confirms the issue and states that it is fixed in GLPI version 10.0.18. Security practitioners should upgrade to this version or later to mitigate the vulnerability, and review access controls to rules configuration forms in affected deployments.
Details
- CWE(s)