CVE-2025-24799
Published: 18 March 2025
Summary
CVE-2025-24799 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly eliminates the SQL injection vulnerability by patching GLPI to version 10.0.18.
Information input validation on the inventory endpoint prevents unauthenticated SQL injection through proper sanitization and use of prepared statements.
Monitoring for information disclosure detects unauthorized data extraction resulting from SQL injection exploitation on the inventory endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing GLPI inventory endpoint directly maps to T1190 for exploitation; arbitrary SQL execution enables database data extraction mapping to T1213.006.
NVD Description
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
Deeper analysisAI
CVE-2025-24799 is a SQL injection vulnerability (CWE-89) affecting GLPI, a free asset and IT management software package. The flaw exists in the inventory endpoint, allowing unauthenticated users to inject malicious SQL queries. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges or user interaction required. The vulnerability was published on 2025-03-18 and is fixed in GLPI version 10.0.18.
An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the inventory endpoint, enabling arbitrary SQL query execution. Successful exploitation allows the attacker to extract sensitive data from the underlying database, such as asset details, user information, or other IT management records, without impacting integrity or availability.
The official GLPI security advisory (GHSA-jv89-g7f7-jwfg) on GitHub confirms the issue and states that it is resolved in version 10.0.18. Security practitioners should update to this patched release immediately and review access to inventory endpoints, applying input validation and prepared statements as interim defenses where patching is delayed.
Details
- CWE(s)