CVE-2025-23024: 
GLPI vulnerability analysis and mitigation

CVE-2025-23024 is a moderate severity security vulnerability affecting GLPI, a free asset and IT management software package. The vulnerability was discovered by jcervantes-sipecom and disclosed on February 25, 2025. This security issue allows an unauthenticated user to disable all active plugins in GLPI versions 0.72 and above (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Moderate) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The attack vector is network-based, requires low complexity, no special privileges, and no user interaction. The vulnerability impacts only the availability of the vulnerable system with low severity, while confidentiality and integrity remain unaffected (GitHub Advisory).

When exploited, this vulnerability allows anonymous users to disable all active plugins in the GLPI installation, potentially disrupting system functionality and availability. The impact is primarily focused on system availability, with no direct effect on data confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.18. Users are recommended to upgrade to this version immediately. As a temporary workaround, administrators can delete the install/update.php file. For additional support or questions, users can contact the GLPI security team at glpi-security@ow2.org (GitHub Release, GitHub Advisory).

The release of GLPI 10.0.18 has received positive community response, with 19 users reacting with thumbs up and 7 with rocket emojis on the GitHub release page, indicating strong community support for this security update (GitHub Release).