CVE-2025-24801: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical vulnerability (CVE-2025-24801) that was disclosed on March 18, 2025. The vulnerability allows authenticated users to upload and force the execution of PHP files located on the GLPI server (GitHub Advisory).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, high attack complexity, low privileges required, no user interaction needed, and potential for high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers to execute arbitrary PHP files on the GLPI server, potentially leading to complete system compromise. The CVSS scoring indicates high impacts on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.18. Users are strongly advised to upgrade to this version to mitigate the risk (GitHub Advisory).

The vulnerability was discovered and reported by Lexfo, a security research firm. For additional information or concerns, users can contact the GLPI security team at glpi-security@ow2.org (GitHub Advisory).