CVE-2025-64520
📋 TL;DR
This vulnerability allows unauthorized users with API access to read all knowledge base entries in GLPI software. It affects GLPI installations from version 9.1.0 up to but not including 10.0.21. Organizations using affected versions with API access enabled are at risk.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Sensitive internal documentation, troubleshooting guides, and proprietary information from the knowledge base could be exfiltrated by attackers, potentially enabling further attacks or exposing confidential data.
Likely Case
Unauthorized users or compromised accounts with API access can read all knowledge base articles, potentially exposing internal procedures, technical documentation, and other sensitive information.
If Mitigated
With proper API access controls and network segmentation, impact is limited to authorized users only accessing their permitted knowledge base content.
🎯 Exploit Status
Exploitation requires API access credentials but no special privileges. The vulnerability is in authorization logic, making exploitation straightforward once API access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.21
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI version 10.0.21 or later from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable API Access
allTemporarily disable GLPI API access to prevent exploitation while planning upgrade.
Edit GLPI configuration to disable API: $config['use_api'] = false; in config/config_db.php
Restrict API Network Access
linuxLimit API endpoint access to trusted IP addresses only.
Configure web server (Apache/Nginx) to restrict access to /api/* endpoints to internal IP ranges
🧯 If You Can't Patch
- Implement strict API access controls and audit all API user accounts
- Monitor API logs for unusual knowledge base access patterns and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via web interface (Setup > General > Information) or database: SELECT value FROM glpi_configs WHERE name = 'version'Check Version:
php -r "include('config/config_db.php'); echo $CFG_GLPI['version'];"Verify Fix Applied:
After upgrade, verify version is 10.0.21 or later and test API knowledge base access with limited privilege accounts📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to knowledge base endpoints from unauthorized users
- Multiple knowledge base article accesses in short timeframes from single API accounts
Network Indicators:
- API requests to /apirest.php with knowledgebase parameters from unexpected sources
SIEM Query:
source="glpi_logs" AND (uri="/apirest.php/knowledgebase" OR uri="/apirest.php/knowledgebaseitem") AND user!="admin"