CVE-2025-52897: GLPI Vulnerable to Unauthenticated Phishing Attacks
🔍 TL;DR Summary
A concerning vulnerability, CVE-2025-52897, has been identified in GLPI, a widely used IT and Asset Management software. Versions 9.1.0 through 10.0.18 are susceptible to an unauthenticated phishing attack. By exploiting a flaw in the planning feature, malicious actors can craft and send deceptive links to users. Clicking these links could lead to the compromise of sensitive information or other malicious activities. It's crucial to upgrade to version 10.0.19 to mitigate this risk.
🚨 Vulnerability Details
CVE ID:
CVE-2025-52897
Description:
GLPI (Free Asset and IT Management Software) versions 9.1.0 through 10.0.18 are vulnerable to unauthenticated phishing attacks. An attacker can exploit the planning feature to send malicious links, potentially leading to credential theft or other malicious outcomes. The vulnerability is resolved in version 10.0.19.
CVSS Score and Vector:
The CVSS v3.1 score for this vulnerability is 6.5 (Medium). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Explanation: This means the vulnerability is accessible over the network (AV:N), requires low attack complexity (AC:L), doesn't need privileges (PR:N), requires user interaction (UI:R), doesn't change the scope (S:U), has a high impact on confidentiality (C:H) i.e. sensitive information could be exposed, and has no impact on integrity (I:N) or availability (A:N). The user needs to click on the link for the exploit to occur.
Exploit Requirements:
An attacker only needs to craft a malicious link and trick a user into clicking it.
Affected Vendor, Product, Version:
- Vendor: GLPI-Project
- Product: GLPI
- Versions: 9.1.0 through 10.0.18
CWE:
This vulnerability is related to CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) and CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')).
Explanation: CWE-80 means the application doesn't properly sanitize user-supplied data before including it in a web page, potentially allowing for Cross-Site Scripting (XSS) attacks. CWE-601 means the application allows redirection to an arbitrary URL, which can be used in phishing attacks to redirect users to malicious websites.
📅 Timeline of Events
- 2025-07-30: Vulnerability publicly disclosed.
- 2025-07-30: CVE-2025-52897 assigned.
🧠 Exploitability & Real-World Risk
This vulnerability is highly exploitable as it requires minimal technical skill. An attacker can craft a phishing email with a malicious link that appears legitimate, deceiving users into clicking it. The real-world risk is significant, as a successful attack could lead to the theft of sensitive user credentials, unauthorized access to IT systems, or further propagation of malware within the organization. Given the widespread use of GLPI, this vulnerability poses a considerable threat.
🛠️ Recommendations
- Upgrade to GLPI version 10.0.19 or later immediately. This version contains the necessary fix to address the vulnerability.
- Educate users about the dangers of phishing attacks. Train them to recognize suspicious links and emails, and to avoid clicking on links from unknown sources.
- Implement email security measures. Use email filtering and anti-phishing technologies to block malicious emails from reaching users.
- Monitor GLPI logs for suspicious activity. Look for unusual patterns or unauthorized access attempts.
🧪 Technical Insight
The vulnerability stems from insufficient input validation in the planning feature of GLPI. The application fails to properly sanitize URLs provided by users, allowing attackers to inject malicious links. These links can then be used to redirect users to phishing sites, where they may be tricked into entering their credentials or other sensitive information.
🙌 Credit to Researcher(s)
This vulnerability was reported via GitHub Security Advisory.
🔗 References
🧵 Tags
#GLPI #CVE-2025-52897 #Phishing #Vulnerability #ITManagement #AssetManagement #Security
Summary: GLPI versions 9.1.0 through 10.0.18 are vulnerable to unauthenticated phishing attacks. An attacker can send malicious links via the planning feature. Upgrade to version 10.0.19 to mitigate the risk.
CVE ID: CVE-2025-52897
Risk Analysis: Successful exploitation can lead to the theft of sensitive user credentials, unauthorized access to IT systems, or further propagation of malware within the organization.
Recommendation: Upgrade to GLPI version 10.0.19 or later. Educate users about phishing attacks and implement email security measures.
Timeline
- 2025-07-30: Vulnerability publicly disclosed.
- 2025-07-30: CVE-2025-52897 assigned.