CVE-2025-24801
Published: 18 March 2025
Summary
CVE-2025-24801 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to the fixed GLPI version 10.0.18.
Requires validation of file uploads to ensure they do not contain dangerous types like executable PHP files, addressing CWE-434 unrestricted upload.
Deploys mechanisms to scan and block malicious code such as uploaded PHP files at system entry points before execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary PHP file upload and execution on a public-facing GLPI server, directly mapping to web shell deployment (T1505.003) and exploitation of public-facing applications for initial access (T1190).
NVD Description
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
Deeper analysisAI
CVE-2025-24801 is a high-severity vulnerability in GLPI, a free asset and IT management software package. It allows an authenticated user to upload and force the execution of arbitrary *.php files on the GLPI server, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting significant potential impact across confidentiality, integrity, and availability when exploited.
An attacker with low-privilege authenticated access (PR:L) over the network (AV:N) can exploit this flaw, though it requires high attack complexity (AC:H). Successful exploitation enables arbitrary PHP code execution on the server, potentially granting scope-changed (S:C) high-impact control over the system, including full compromise of the GLPI instance and any associated data or resources.
The vulnerability is addressed in GLPI version 10.0.18, as detailed in the official security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555. Security practitioners should prioritize upgrading to the patched version and review access controls for authenticated users to mitigate risks.
Details
- CWE(s)