CVE-2025-53008: GLPI Vulnerability Exposes Mail Receiver Credentials
GLPI, a popular IT asset management software, has addressed a vulnerability that could allow a connected user to steal mail receiver credentials. This post details the flaw, its potential impact, and recommended actions to protect your GLPI instance.
Vulnerability Details
- CVE ID: CVE-2025-53008
- Description: A connected user in GLPI versions 9.3.1 through 10.0.19 can exploit a vulnerability to steal mail receiver credentials. This allows attackers to potentially access sensitive information handled by these mail receivers. The vulnerability is fixed in version 10.0.19.
- CVSS Score: 6.5 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CVSS Explanation: This vulnerability has a medium severity score because it can be exploited remotely (AV:N) with low complexity (AC:L) and requires low privileges (PR:L). User interaction is not required (UI:N) and the scope is unchanged (S:U). The confidentiality impact is high (C:H), meaning an attacker could gain access to sensitive data, but integrity (I:N) and availability (A:N) are not affected.
- Exploit Requirements: A valid GLPI user account is required to exploit this vulnerability.
- Affected Vendor: GLPI
- Affected Product: GLPI
- Affected Versions: 9.3.1 through 10.0.19
- CWE: CWE-522 - Insufficiently Protected Credentials
- CWE Explanation: CWE-522 refers to situations where an application stores or transmits sensitive credentials (like passwords or API keys) without adequate protection. This lack of protection can make it easier for attackers to steal these credentials and use them to gain unauthorized access.
Timeline of Events
- 2025-07-30: CVE Published and vulnerability disclosed.
- 2025-07-30: Patch released in GLPI version 10.0.19.
Exploitability & Real-World Risk
The vulnerability's exploitability is relatively high, given that it only requires a valid GLPI user account. In a real-world scenario, an attacker who has compromised a low-privilege user account could leverage this vulnerability to gain access to sensitive mail receiver credentials. This could lead to further compromise of the IT infrastructure by allowing the attacker to read sensitive emails or potentially use the mail server to send malicious emails.
Recommendations
- Upgrade to GLPI 10.0.19: The primary recommendation is to upgrade your GLPI installation to version 10.0.19 or later. This version contains the necessary fix to address the vulnerability.
- Review User Permissions: Regularly review and audit user permissions within GLPI to ensure that users only have the necessary access required for their roles.
- Monitor GLPI Logs: Monitor GLPI logs for any suspicious activity, such as unusual access patterns or attempts to access mail receiver configurations.
Technical Insight
The technical details of the vulnerability are not explicitly provided, but it's likely that the mail receiver credentials were being stored or transmitted in a way that was accessible to authenticated users with insufficient access controls. The fix probably involves implementing stronger encryption or access control mechanisms to protect these credentials.
Credit to Researcher(s)
The advisory was published by GitHub Security Advisories. Specific researchers may be credited in the linked advisory.
References
Tags
#GLPI #CVE-2025-53008 #InformationDisclosure #Credentials #ITManagement #SecurityVulnerability
Summary: A vulnerability (CVE-2025-53008) in GLPI versions 9.3.1 through 10.0.19 allows a connected user to steal mail receiver credentials. Upgrade to version 10.0.19 to fix this issue and secure your system.
CVE ID: CVE-2025-53008
Risk Analysis: Compromise of mail server credentials can lead to unauthorized access to sensitive information and potential misuse of the mail server for malicious purposes.
Recommendation: Upgrade to GLPI version 10.0.19 to patch this vulnerability.
Timeline
- 2025-07-30: CVE Published and vulnerability disclosed.
- 2025-07-30: Patch released in GLPI version 10.0.19.