Cyber Resilience

CVE-2025-64516

High

Published: 15 January 2026

Published
15 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 14.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64516 is a high-severity Improper Access Control (CWE-284) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-64516 is an improper access control vulnerability (CWE-284, CWE-639) in GLPI, a free asset and IT management software package. Versions prior to 10.0.21 and 11.0.3 are affected, where an unauthorized user can access documents attached to any item, such as tickets or assets. The issue was published on 2026-01-15 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no authentication or privileges required.

An attacker requires no privileges (PR:N) and can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Unauthorized users can directly access sensitive attached documents, achieving high confidentiality loss. If the public FAQ feature is enabled, anonymous users can also perform this unauthorized access, broadening the threat surface to unauthenticated visitors.

Mitigation is provided by upgrading to GLPI 10.0.21 or 11.0.3, where the vulnerability is fixed. Patch details are in GitHub commits 51412a89d3174cfe22967b051d527febdbceab3c and ee7ee28e0645198311c0a9e0c4e4b712b8788e27, with releases available at github.com/glpi-project/glpi/releases/tag/10.0.21 and github.com/glpi-project/glpi/releases/tag/11.0.3. Further guidance is in the security advisory at github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46.

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be…

more

performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Direct unauthorized remote access to documents in GLPI (IT asset/ticket repository) via public-facing web app bypasses access controls, enabling exploitation of public-facing apps and collection from information repositories.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23046Same product: Glpi-Project Glpi
CVE-2025-66417Same product: Glpi-Project Glpi
CVE-2025-21619Same product: Glpi-Project Glpi
CVE-2026-22247Same product: Glpi-Project Glpi
CVE-2026-26263Same product: Glpi-Project Glpi
CVE-2026-26026Same product: Glpi-Project Glpi
CVE-2025-24799Same product: Glpi-Project Glpi
CVE-2026-29047Same product: Glpi-Project Glpi
CVE-2025-24801Same product: Glpi-Project Glpi
CVE-2026-26027Same product: Glpi-Project Glpi

Affected Assets

glpi-project
glpi
10.0.0 — 10.0.21 · 11.0.0 — 11.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing unauthorized users from accessing GLPI attached documents.

prevent

Identifies and explicitly authorizes actions without identification or authentication, mitigating unauthorized and anonymous access to documents especially when public FAQ is enabled.

prevent

Requires identification, reporting, and correction of system flaws like this improper access control vulnerability through timely patching to GLPI 10.0.21 or 11.0.3.

References