CVE-2025-24799: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical SQL injection vulnerability (CVE-2025-24799) affecting versions 10.0.0 to 10.0.17. The vulnerability was discovered in February 2025 and patched in version 10.0.18. The issue allows an unauthenticated user to perform SQL injection through the inventory endpoint (GitHub Advisory).

The vulnerability stems from improper sanitization of the deviceid parameter in the handleAgent function inside /src/Agent.php. While the code attempts to sanitize input using dbEscapeRecursive, the implementation fails to properly escape SQL queries in INSERT statements. The vulnerability received a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it can be exploited remotely without authentication or user interaction (GitHub Advisory, AttackerKB).

The vulnerability allows attackers to perform time-based blind SQL injection attacks to extract sensitive information from the database, including usernames, password hashes (bcrypt with cost factor 10), and API tokens. If an attacker successfully cracks an administrative user's password hash, it could potentially lead to code execution, especially when combined with other vulnerabilities patched in the same version (AttackerKB).

The primary mitigation is to upgrade to GLPI version 10.0.18 or later, which contains the patch for this vulnerability. If immediate upgrade is not possible, organizations should ensure that the Inventory feature is disabled unless absolutely necessary (GitHub Advisory).