CVE-2021-43779 – CVE-2021-43779 is an authenticated remote code ... (How to Fix)

Q: How do I fix CVE-2021-43779?

1. Backup your GLPI installation and database. 2. Update the addressing plugin to version 2.9.1 or later via GLPI's plugin management interface or manual installation. 3. Verify the plugin version shows 2.9.1 or higher.

Q: What is the severity of CVE-2021-43779?

CVE-2021-43779 has a CVSS score of 9.9 (CRITICAL). CVE-2021-43779 is an authenticated remote code execution vulnerability in the GLPI addressing plugin that allows attackers with valid credentials to execute arbitrary commands on the underlying operating system. This affects GLPI users who have the addressing plugin enabled. The vulnerability stems from improper input validation (CWE-20) in plugin versions before 2.9.1.

📋 TL;DR

CVE-2021-43779 is an authenticated remote code execution vulnerability in the GLPI addressing plugin that allows attackers with valid credentials to execute arbitrary commands on the underlying operating system. This affects GLPI users who have the addressing plugin enabled. The vulnerability stems from improper input validation (CWE-20) in plugin versions before 2.9.1.

💻 Affected Systems

Products:

GLPI addressing plugin

Versions: All versions < 2.9.1

Operating Systems: Any OS running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the addressing plugin to be installed and enabled. GLPI core versions are not directly affected, only the plugin.

📦 What is this software?

Addressing by Teclib Edition

View all CVEs affecting Addressing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the GLPI server with attacker gaining root/system-level access, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive IT asset data, service desk information, and potential ransomware deployment on the affected server.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and command execution restrictions are in place.

🌐 Internet-Facing: HIGH - Internet-facing GLPI instances with the addressing plugin are directly exploitable by authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain server control and pivot to other systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts exist. Attack requires valid GLPI user credentials but no special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.1

Vendor Advisory: https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Update the addressing plugin to version 2.9.1 or later via GLPI's plugin management interface or manual installation. 3. Verify the plugin version shows 2.9.1 or higher.

🔧 Temporary Workarounds

Disable addressing plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to GLPI admin interface > Plugins > Addressing > Click disable

🧯 If You Can't Patch

Disable the addressing plugin immediately
Implement strict network segmentation to isolate the GLPI server and restrict access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check GLPI admin interface > Plugins > Addressing. If version is below 2.9.1 and plugin is enabled, system is vulnerable.

Check Version:

Check GLPI web interface or examine plugin files: cat /var/www/html/glpi/plugins/addressing/inc/common.class.php | grep 'plugin_version'

Verify Fix Applied:

Verify addressing plugin version shows 2.9.1 or higher in GLPI plugin management.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
GLPI logs showing unexpected addressing plugin activity
Web server logs with suspicious POST requests to addressing plugin endpoints

Network Indicators:

Outbound connections from GLPI server to unexpected destinations
Command and control traffic patterns

SIEM Query:

source="glpi_logs" AND ("addressing" AND ("exec" OR "system" OR "shell_exec" OR "passthru"))

📊 Metadata

CVE ID: CVE-2021-43779

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

CWE: CWE-20

Published: January 5, 2022

Last Updated: September 8, 2025

🔗 References

https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin Exploit,Third Party Advisory
https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366 Patch,Third Party Advisory
https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh Exploit,Third Party Advisory
https://github.com/hansmach1ne/CVE-portfolio/tree/main/CVE-2021-43779
https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin Exploit,Third Party Advisory
https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366 Patch,Third Party Advisory
https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43779, you might also want to check these: