CVE-2025-53111: GLPI Unauthorized Access Vulnerability

This blog post details a security vulnerability, CVE-2025-53111, affecting GLPI, a popular Free Asset and IT Management Software package. Versions 0.80 through 10.0.18 are susceptible to unauthorized access due to missing permission checks. A fix is available in version 10.0.19.

Vulnerability Details

• CVE ID: CVE-2025-53111
• Description: GLPI versions 0.80 through 10.0.18 lack sufficient permission checks, allowing unauthorized access to resources. This vulnerability is resolved in version 10.0.19.
• CVSS Score: 6.5 (MEDIUM)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• CVSS Explanation: The vulnerability has a medium severity. It is exploitable over the network with low attack complexity. An attacker with low privileges can exploit it without any user interaction. The impact is high confidentiality, meaning an attacker can read sensitive data.
• Exploit Requirements: The attacker needs to have at least low privileges within the GLPI system. No user interaction is required.
• Affected Vendor: GLPI
• Affected Product: GLPI
• Affected Versions: 0.80 through 10.0.18
• CWE: CWE-284 (Improper Access Control), CWE-862 (Missing Authorization)
• CWE Explanation: CWE-284 and CWE-862 mean that the application does not properly verify if the user has permission to access certain resources. This allows unauthorized users to view or modify data they shouldn't have access to.

Timeline of Events

• 2025-07-30: Vulnerability disclosed and CVE assigned.
• 2025-07-30: Security advisory published.
• 2025-07-31: Blog post created to inform users.

Exploitability & Real-World Risk

This vulnerability can be exploited by any authenticated user within the GLPI system, even those with minimal permissions. The risk is significant because GLPI often manages sensitive IT asset and configuration data. A successful exploit could lead to data breaches, compliance violations, and a loss of trust. Given the widespread usage of GLPI in IT environments, the potential impact is substantial.

Recommendations

• Upgrade to version 10.0.19 or later immediately. This version contains the fix for the vulnerability.
• Review user permissions to ensure least privilege.
• Monitor GLPI logs for any suspicious activity.

Technical Insight

The vulnerability stems from a lack of proper permission checks when accessing certain resources within GLPI. This means that the application does not adequately verify whether the logged-in user has the necessary privileges to view or modify the requested data. By bypassing these checks, an attacker can gain unauthorized access.

Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisories.

References

• GitHub Security Advisory

Tags

#GLPI #CVE-2025-53111 #UnauthorizedAccess #ITManagement #SecurityVulnerability

Summary: CVE-2025-53111 affects GLPI versions 0.80 through 10.0.18, allowing unauthorized access due to missing permission checks. Upgrade to version 10.0.19 to mitigate the risk.

CVE ID: CVE-2025-53111

Risk Analysis: Successful exploitation could lead to data breaches, compliance violations, and a loss of trust due to unauthorized access to sensitive IT asset and configuration data managed by GLPI.

Recommendation: Upgrade to GLPI version 10.0.19 or later. Review user permissions to enforce least privilege. Monitor logs for suspicious activity.

Timeline

• 2025-07-30: Vulnerability disclosed and CVE assigned.
• 2025-07-30: Security advisory published.

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j