CVE-2025-64516
Published: 15 January 2026
Summary
CVE-2025-64516 is a high-severity Improper Access Control (CWE-284) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-64516 is an improper access control vulnerability (CWE-284, CWE-639) in GLPI, a free asset and IT management software package. Versions prior to 10.0.21 and 11.0.3 are affected, where an unauthorized user can access documents attached to any item, such as tickets or assets. The issue was published on 2026-01-15 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no authentication or privileges required.
An attacker requires no privileges (PR:N) and can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Unauthorized users can directly access sensitive attached documents, achieving high confidentiality loss. If the public FAQ feature is enabled, anonymous users can also perform this unauthorized access, broadening the threat surface to unauthenticated visitors.
Mitigation is provided by upgrading to GLPI 10.0.21 or 11.0.3, where the vulnerability is fixed. Patch details are in GitHub commits 51412a89d3174cfe22967b051d527febdbceab3c and ee7ee28e0645198311c0a9e0c4e4b712b8788e27, with releases available at github.com/glpi-project/glpi/releases/tag/10.0.21 and github.com/glpi-project/glpi/releases/tag/11.0.3. Further guidance is in the security advisory at github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206294
Vulnerability details
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be…
more
performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthorized remote access to documents in GLPI (IT asset/ticket repository) via public-facing web app bypasses access controls, enabling exploitation of public-facing apps and collection from information repositories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and system resources, directly preventing unauthorized users from accessing GLPI attached documents.
Identifies and explicitly authorizes actions without identification or authentication, mitigating unauthorized and anonymous access to documents especially when public FAQ is enabled.
Requires identification, reporting, and correction of system flaws like this improper access control vulnerability through timely patching to GLPI 10.0.21 or 11.0.3.