Critical SQL Injection Vulnerability in GLPI ITSM Tool (CVE-2025-24799): Analysis and Mitigation

A newly discovered SQL injection vulnerability in the widely used GLPI IT Service Management (ITSM) tool poses significant risks to organizations. Tracked as CVE-2025-24799, this flaw enables unauthenticated attackers to execute arbitrary SQL queries, potentially leading to data theft, manipulation, and even remote code execution.

Executive Summary

The vulnerability affects GLPI versions 10.0.0 through 10.0.17, with version 10.0.18 containing the patch. Security researchers have confirmed that exploitation requires no authentication, making this particularly dangerous for exposed instances. The flaw resides in the dynamic report generation module where improper input validation allows SQL injection.

• CVE ID: CVE-2025-24799
• CVSS Score: 9.1 (Critical)
• Affected Versions: GLPI 10.0.0 – 10.0.17
• Patch Version: GLPI 10.0.18
• Impact: Data theft, manipulation, potential RCE

Technical Analysis

The vulnerability stems from insufficient input sanitization in GLPI’s dynamic report generation functionality. According to Hakai Security’s research blog, attackers can craft malicious SQL queries that bypass authentication checks and execute directly on the database server.

The Broadcom security bulletin notes that successful exploitation could allow attackers to:

Potential Impact	Description
Data Exposure	Access to sensitive IT asset and user information
Data Manipulation	Alteration or deletion of critical records
System Compromise	Potential remote code execution via database functions

Mitigation Strategies

Organizations using affected GLPI versions should implement the following measures immediately:

1. Upgrade to GLPI 10.0.18, which contains the official patch
2. Implement a Web Application Firewall (WAF) with SQL injection rules
3. Restrict database permissions to minimum required levels
4. Monitor database logs for unusual query patterns

The SANS Institute recommends additional hardening measures for ITSM tools, including regular security audits and limiting network exposure of administrative interfaces.

Historical Context

GLPI has faced similar security issues in the past, including CVE-2022-31056, another SQL injection vulnerability. The tool’s widespread adoption in government and corporate IT environments makes it an attractive target for attackers. CybersecurityNews reports that GLPI instances are frequently found exposed to the internet with default credentials.

Conclusion

CVE-2025-24799 represents a serious threat to organizations using vulnerable GLPI versions. The combination of no authentication requirement and potential for remote code execution elevates this vulnerability to critical status. Immediate patching is strongly recommended, along with comprehensive monitoring of affected systems.

References

1. “GLPI ITSM Tool Flaw Allows Attackers to Inject Malicious SQL Queries,” GBHackers Security. [Online]. Available: https://gbhackers.com/glpi-itsm-tool-flaw/
2. “GLPI Open Source ITSM Tool Vulnerability,” CybersecurityNews. [Online]. Available: https://cybersecuritynews.com/glpi-open-source-itsm-tool-vulnerability/
3. “CVE-2025-24799,” SecurityVulnerability.io. [Online]. Available: https://securityvulnerability.io/vulnerability/CVE-2025-24799
4. “GLPI Dynamic Reports Vulnerability,” Hakai Security. [Online]. Available: https://hakaisecurity.io/glpi-dynamic-reports-vulnerability/research-blog/
5. “Protection Bulletin: CVE-2025-24799 SQL Injection Vulnerability in GLPI,” Broadcom. [Online]. Available: https://www.broadcom.com/support/security-center/protection-bulletin/cve-2025-24799-sql-injection-vulnerability-in-glpi