CVE-2025-66417
📋 TL;DR
CVE-2025-66417 is an unauthenticated SQL injection vulnerability in GLPI's inventory endpoint. Attackers can execute arbitrary SQL commands without credentials, potentially compromising the database. This affects GLPI installations running versions 11.0.0 through 11.0.2.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or remote code execution via database functions.
Likely Case
Data exfiltration of sensitive information including user credentials, configuration data, and asset information.
If Mitigated
Limited impact if database permissions are properly restricted and network access is controlled.
🎯 Exploit Status
The advisory provides technical details that could facilitate exploit development. Unauthenticated access lowers the barrier for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.3
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI 11.0.3 from the official repository. 3. Follow the GLPI upgrade documentation for your version. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable Inventory Endpoint
allTemporarily disable the vulnerable inventory endpoint until patching is possible.
# Modify GLPI configuration to disable inventory API
# Edit config/config_db.php or use GLPI configuration interface
# Set inventory endpoint to disabled or restrict access
Network Access Control
linuxRestrict network access to GLPI inventory endpoint using firewall rules.
# Example iptables rule to block inventory endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "/inventory" --algo bm -j DROP
# Or use web server configuration to block the path
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GLPI from untrusted networks.
- Deploy a web application firewall (WAF) with SQL injection protection rules.
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via admin interface or by examining the GLPI installation files. Versions 11.0.0 through 11.0.2 are vulnerable.Check Version:
php glpi/inc/glpi_version.php or check via GLPI web interface Setup > General > InformationVerify Fix Applied:
Verify GLPI version is 11.0.3 or higher. Test inventory endpoint functionality to ensure it still works but SQL injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed inventory requests
- Requests to inventory endpoint with SQL-like patterns
Network Indicators:
- Unusual traffic patterns to /inventory endpoint
- SQL error messages in HTTP responses
SIEM Query:
source="web_logs" AND uri="/inventory" AND (message="SQL" OR message="syntax" OR message="error")