SQL Injection vulnerability discovered in GLPI IT Service Management tool
Take action: If you are using GLPI IT Service Management, the right decision is to patch the software quickly. If you can't patch immediately, check if you can isolate the vulnerable endpoint from the internet or implement Web Application Firewall (WAF). But be aware that WAF can be fairly easily bypassed with several SQL injection obfuscation techniques. Patching is the only safe option.
Learn More
An SQL injection security vulnerability has been identified in GLPI, a popular open-source IT Service Management (ITSM) tool widely used for helpdesk operations, asset management, and IT support.
The flaw is tracked as CVE-2025-24799 (CVSS score 7.5), enables remote, unauthenticated attackers to perform SQL injection attacks through the inventory endpoint. It's caused by the way GLPI processes certain user inputs in the inventory endpoint, allowing attackers to bypass authentication mechanisms, send malicious SQL queries to the underlying database, gain unauthorized access to sensitive information and potentially execute arbitrary commands on the server
The vulnerability affects GLPI versions 10.0.0 through 10.0.17.
The GLPI development team has addressed the vulnerability in version 10.0.18. Organizations using affected versions are strongly urged to upgrade immediately to GLPI version 10.0.18 or if immediate patching is not possible to enable a web application firewall to block SQLi and minimize internet exposure of GLPI installations.
