Two vulnerabilities in the IT asset management tool GLPI have been published under the heading “Pre-authentication SQL injection to RCE in GLPI”.
In this article, our experts examine these two vulnerabilities and investigate the number and type of organizations impacted.
What exactly is GLPI ?
To fully understand the impact of these vulnerabilities, we first need to understand what GLPI is, what is does, and who uses it.
GLPI (Gestion Libre de Parc Informatique : translates as Flexible IT Asset Management) is open-source software used to manage IT services and assets, typically for enterprises, educational establishments and local government.
The product is particularly suited to tasks such as IT inventory tracking (for both software and hardware), handling IT support requests and organizing maintenance processes.
While a free version of the software exists, Teclib now offers a paid version, either on-premise or cloud-hosted, including a range of plugins with advanced features.
Who uses GLPI?
With more than 80 versions published since its first release in 2003, GLPI has become a familiar name for IT managers. It is mainly used by :
- Organizations with a significant fleet of IT assets to manage,
- IT support teams with a requirement for tracking IT assets and handling incidents,
- Public authorities such as town halls, local authorities and schools, who need a centralized tool to manage their IT infrastructure.
What are the principal features of GLPI?
GLPI is designed as a modular tool, offering a range of functions that can be activated as required.
There are a number of modules, such as inventory management, which enables you to take stock of computers, servers, peripherals and installed software.
Ticket management allows for the usual range of user requests and incidents to be tracked.
The product can also be used to manage users and access rights by assigning roles and permissions, and the functionality extends to managing software licenses, contracts and renewals.
To achieve all this functionality, a GLPI software agent must be installed on operating systems across the IT infrastructure and user devices. This agent pulls in data from and sends it back to the central server.
What are the vulnerabilities that have been detected?
Two vulnerabilities were identified at the end of December 2024, and these reports were confirmed by the vendor on 28th January as CVE-2025-24799 and CVE-2025-24801.
With this pair of vulnerabilities, the first vulnerability (a SQL injection) must be exploited to access the second vulnerability, which allows for remote code execution.
At the time of writing, a corrected version of GLPI has been available since 12th February 2025 in version 10.0.18.
Pre-authentication SQL injection (CVE-2025-24799):
This vulnerability was discovered in a PHP function normally used to perform a system inventory via the GLPI agent.
The cybersecurity researchers who discovered it observed that this function accepts user input without requiring any authentication. The SQL injection attack is achieved by sending a request to this function in the form of an XML query.
Obtaining Remote Code Execution (RCE) (CVE-2025-24801):
Once the first vulnerability has been exploited, an attacker can simply access the API authentication tokens stored as clear-text in the database. Once authenticated with one of these tokens, the attacker can execute code remotely.
Who is impacted by the vulnerability?
In order to establish which organizations are affected by these two vulnerabilities, our identification technique relies on correctly identifying the GLPI version.
This is a reliable method for identifying this type of vulnerability, but it doesn’t take into account any preconditions required for exploitation. Indeed, in this case, a parameter needs to be activated for the exploitation condition to be present. According to the writers of Lexfo’s blog, the company that discovered these vulnerabilities, this condition is present more often than not.
According to our analysis performed on the 13th March at 10am CET and based on this identification method, 6929 GLPI instances were identified on the Internet.
Of these, 3035 appeared to be vulnerable, i.e. 43.8% of all instances.
In France alone, no fewer than 680 vulnerable instances were detected.
Three types of organization were identified among the affected systems.
25% of the vulnerable instances are run by companies in the IT sector, notably many IT service providers who use GLPI to manage their customers’ IT assets.
20% of the vulnerable systems are linked to the education sector, including schools and universities. This figure is not surprising given that IT support teams in many universities in France have adopted GLPI for handling their day-to-day operations.
Finally, around 5% are identifiable as public entities. The dataset reveals the names of several local authorities and town halls.
What to do if your GLPI system is affected by these vulnerabilities?
You must urgently update your GLPI instance to the latest version available.
If it is not possible to update immediately, you are advised to deactivate GLPI’s native inventory function. In addition, it is recommended that you restrict external access to the application using the firewall at the edge of your network.
Applying the policy of least privilege will also ensure that GLPI operates with the minimum privileges necessary, thereby mitigating the impact of any exploitation.
