CVE-2025-53112: GLPI Vulnerability Allows Unauthorized Resource Deletion
GLPI, a popular open-source IT asset management and service desk software, has a security vulnerability that could allow users with low privileges to delete certain resources they shouldn't be able to. Let's dive into the details and see how to protect yourself.
Vulnerability Details
- CVE ID: CVE-2025-53112
- Description: A lack of proper permission checks in GLPI versions 9.1.0 through 10.0.18 can lead to unauthorized removal of specific resources. An authenticated attacker with low privileges could exploit this flaw.
- CVSS Score: 4.3 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVSS Explanation: This vulnerability has a CVSS score of 4.3, indicating a medium severity. It means an attacker can exploit it over the network (AV:N) with low complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). The impact is limited to a loss of integrity (I:L), meaning the attacker can modify some data, but there is no impact on confidentiality or availability.
- Exploit Requirements: An attacker needs valid GLPI credentials with at least low-level access.
- Affected Vendor: GLPI
- Affected Product: GLPI
- Affected Versions: 9.1.0 through 10.0.18
- CWE: CWE-284 - Improper Access Control & CWE-862 - Missing Authorization
- CWE Explanation: CWE-284 and CWE-862 both relate to access control issues. In essence, the software fails to adequately verify if a user has the necessary permissions before allowing them to perform an action, in this case, deleting resources.
Timeline of Events
- Reported: Unknown
- Published (CVE): 2025-07-30
- Fixed: 2025-07-30 (GLPI 10.0.19)
Exploitability & Real-World Risk
While the CVSS score is medium, the real-world risk depends on your GLPI configuration and how sensitive the affected resources are. If low-level users in your GLPI instance manage critical assets, this vulnerability could lead to data loss or service disruption. An attacker might intentionally delete valuable records or configuration items, causing significant problems. It's crucial to patch promptly.
Recommendations
- Upgrade: Upgrade your GLPI instance to version 10.0.19 or later. This version contains the fix for CVE-2025-53112.
- Review Permissions: Regularly review user permissions and roles within GLPI to ensure they adhere to the principle of least privilege.
- Monitor Logs: Monitor GLPI logs for any suspicious activity, especially related to resource deletion.
Technical Insight
The vulnerability stems from insufficient checks within the GLPI codebase. The functions responsible for deleting certain resources lack proper verification to ensure the user has the authorization to perform the deletion. This allows an attacker to bypass normal access controls and remove resources they shouldn't be able to.
Credit to Researcher(s)
The security advisory on GitHub does not mention a specific researcher. Credit goes to the GLPI project security team for identifying and addressing this vulnerability.
References
Tags
#GLPI #CVE-2025-53112 #ITManagement #AssetManagement #SecurityVulnerability #UnauthorizedDeletion #PatchNow
Summary: GLPI versions 9.1.0 through 10.0.18 are vulnerable to unauthorized resource deletion due to missing permission checks. An authenticated attacker with low privileges can exploit this to remove specific resources. Upgrade to version 10.0.19 to mitigate this vulnerability.
CVE ID: CVE-2025-53112
Risk Analysis: Successful exploitation could lead to data loss, service disruption, and potential financial losses if critical assets are deleted. The risk is higher for organizations that rely heavily on GLPI for asset management.
Recommendation: Upgrade to GLPI version 10.0.19 or later to patch this vulnerability. Review and enforce the principle of least privilege for GLPI user accounts.
Timeline
- 2025-07-30: CVE Published and GLPI 10.0.19 Released