CVE-2025-24799
Published: 18 March 2025
Summary
CVE-2025-24799 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
GLPI, a free asset and IT management software package, contains a SQL injection vulnerability in its inventory endpoint that allows unauthenticated remote attackers to extract sensitive data. The flaw is tracked as CWE-89 and carries a CVSS 3.1 score of 7.5 reflecting network-accessible exploitation with no required credentials or user interaction; it was corrected in version 10.0.18.
An unauthenticated attacker can submit crafted requests to the inventory endpoint and leverage the injection to read arbitrary database contents, resulting in high-impact confidentiality loss without affecting integrity or availability.
The official GLPI security advisory recommends immediate upgrade to 10.0.18 to eliminate the vulnerable code path in the inventory handling logic.
EPSS for this CVE rose sharply from a low baseline to a peak of 0.7263 on 2026-03-03 before receding to the current value of 0.2884, indicating a clear post-disclosure increase in observed exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6704
Vulnerability details
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing GLPI inventory endpoint directly maps to T1190 for exploitation; arbitrary SQL execution enables database data extraction mapping to T1213.006.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly eliminates the SQL injection vulnerability by patching GLPI to version 10.0.18.
Information input validation on the inventory endpoint prevents unauthenticated SQL injection through proper sanitization and use of prepared statements.
Monitoring for information disclosure detects unauthorized data extraction resulting from SQL injection exploitation on the inventory endpoint.