CVE-2025-64516
Published: 15 January 2026
Summary
CVE-2025-64516 is a high-severity Improper Access Control (CWE-284) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks.
Enforcing approved authorizations directly implements access control policies to block unauthorized access.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthorized remote access to documents in GLPI (IT asset/ticket repository) via public-facing web app bypasses access controls, enabling exploitation of public-facing apps and collection from information repositories.
NVD Description
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be…
more
performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
Deeper analysisAI
CVE-2025-64516 is an improper access control vulnerability (CWE-284, CWE-639) in GLPI, a free asset and IT management software package. Versions prior to 10.0.21 and 11.0.3 are affected, where an unauthorized user can access documents attached to any item, such as tickets or assets. The issue was published on 2026-01-15 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no authentication or privileges required.
An attacker requires no privileges (PR:N) and can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Unauthorized users can directly access sensitive attached documents, achieving high confidentiality loss. If the public FAQ feature is enabled, anonymous users can also perform this unauthorized access, broadening the threat surface to unauthenticated visitors.
Mitigation is provided by upgrading to GLPI 10.0.21 or 11.0.3, where the vulnerability is fixed. Patch details are in GitHub commits 51412a89d3174cfe22967b051d527febdbceab3c and ee7ee28e0645198311c0a9e0c4e4b712b8788e27, with releases available at github.com/glpi-project/glpi/releases/tag/10.0.21 and github.com/glpi-project/glpi/releases/tag/11.0.3. Further guidance is in the security advisory at github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46.
Details
- CWE(s)