CVE-2025-24801
📋 TL;DR
This vulnerability allows authenticated GLPI users to upload and execute arbitrary PHP files on the server, leading to remote code execution. It affects GLPI installations before version 10.0.18. Any organization using vulnerable GLPI versions with authenticated users is at risk.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Authenticated attackers gaining shell access to the GLPI server, potentially compromising sensitive IT asset data and using the server as a foothold.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though risk remains.
🎯 Exploit Status
Requires authenticated access and ability to upload files; exploitation involves bypassing file type restrictions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.18
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.18 or later from the official repository. 3. Follow the GLPI upgrade documentation to apply the update. 4. Verify the installation is functioning correctly.
🔧 Temporary Workarounds
Restrict file uploads
allConfigure web server or application to block PHP file uploads through GLPI interfaces.
# Configure .htaccess for Apache: <FilesMatch "\.php$"> Deny from all </FilesMatch>
# For nginx: location ~ \.php$ { deny all; }
Implement WAF rules
allDeploy web application firewall rules to block malicious file upload patterns.
# Example ModSecurity rule: SecRule FILES_TMPNAMES "@rx \.php$" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict access controls to limit authenticated users who can upload files.
- Deploy network segmentation to isolate GLPI servers from critical systems.
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via admin interface or by examining the GLPI installation files for version indicators.Check Version:
php glpi/inc/glpi_version.php or check GLPI admin dashboardVerify Fix Applied:
Confirm GLPI version is 10.0.18 or later and test that PHP file uploads are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity in GLPI logs
- PHP file upload attempts in web server logs
- Unexpected process execution from GLPI directories
Network Indicators:
- HTTP POST requests with PHP file uploads to GLPI endpoints
- Outbound connections from GLPI server to unknown destinations
SIEM Query:
source="glpi.log" AND "upload" AND ".php" OR source="access.log" AND "POST" AND "/glpi/" AND ".php"