CVE-2025-21619
Published: 18 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-21619 is a SQL injection vulnerability (CWE-89) in GLPI, a free asset and IT management software package. The flaw exists in the rules configuration forms, allowing malicious SQL queries to be executed. It affects GLPI versions prior to 10.0.18 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
An administrator user can exploit this vulnerability by submitting crafted input through the rules configuration forms, enabling arbitrary SQL injection. Despite the CVSS metrics suggesting no privileges are required (PR:N), the vulnerability description specifies exploitation by an administrator, likely requiring authenticated access to those forms. Successful exploitation could allow attackers to read, modify, or delete database contents, potentially leading to full compromise of the GLPI instance.
The official GitHub Security Advisory (GHSA-pcmc-xv3g-hjxv) confirms the issue and states that it is fixed in GLPI version 10.0.18. Security practitioners should upgrade to this version or later to mitigate the vulnerability, and review access controls to rules configuration forms in affected deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the network-accessible GLPI web application directly enables adversaries to exploit the public-facing application (T1190) by submitting crafted inputs to the rules configuration forms, resulting in arbitrary database access and potential full compromise.