Cyber Resilience

CVE-2025-24801

High

Published: 18 March 2025

Published
18 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0298 86.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24801 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

GLPI, an open-source IT asset and service management application, contains an arbitrary file upload flaw tracked as CVE-2025-24801. An authenticated user can upload a PHP file to the server and then invoke it directly, resulting in code execution. The issue is classified under CWE-434 and carries a CVSS 3.1 score of 8.5; it was corrected in version 10.0.18.

An attacker who already possesses a valid GLPI account can leverage the flaw to upload and execute arbitrary PHP payloads hosted on the server. Successful exploitation grants the ability to run operating-system commands, read or modify sensitive data, and potentially pivot within the environment, satisfying the high impact ratings across confidentiality, integrity, and availability under a network-accessible but high-complexity attack path.

The official GLPI security advisory GHSA-g2p3-33ff-r555 confirms the root cause and states that upgrading to 10.0.18 fully resolves the vulnerability. No other mitigations such as configuration changes or workarounds are documented in the reference.

EPSS for the CVE remains low at 0.0298 with no material increase since disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables arbitrary PHP file upload and execution on a public-facing GLPI server, directly mapping to web shell deployment (T1505.003) and exploitation of public-facing applications for initial access (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23046Same product: Glpi-Project Glpi
CVE-2025-66417Same product: Glpi-Project Glpi
CVE-2025-21619Same product: Glpi-Project Glpi
CVE-2026-22247Same product: Glpi-Project Glpi
CVE-2026-26263Same product: Glpi-Project Glpi
CVE-2026-26026Same product: Glpi-Project Glpi
CVE-2025-24799Same product: Glpi-Project Glpi
CVE-2026-29047Same product: Glpi-Project Glpi
CVE-2026-26027Same product: Glpi-Project Glpi
CVE-2026-22044Same product: Glpi-Project Glpi

Affected Assets

glpi-project
glpi
0.85 — 10.0.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to the fixed GLPI version 10.0.18.

prevent

Requires validation of file uploads to ensure they do not contain dangerous types like executable PHP files, addressing CWE-434 unrestricted upload.

preventdetect

Deploys mechanisms to scan and block malicious code such as uploaded PHP files at system entry points before execution.

References