cbcvebase.
CVE-2024-37149
published 2024-07-10

CVE-2024-37149: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
21.24%
97.3th percentile
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 0.85 < 10.0.1610.0.16

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/kanban.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Local File Inclusion (CVE-2024-37149)"; flow:established,to_server; http.uri; content:"/ajax/kanban.php"; fast_pattern; http.request_body; content:"itemtype|3d|Plugin"; content:"action|3d|add_item"; content:"inputs|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; http.method; content:"POST"; reference:url,sensepost.com/blog/2024/from-a-glpi-patch-bypass-to-rce/; reference:cve,2024-37149; classtype:web-application-attack; sid:2067159; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_37149, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets POST requests to /ajax/kanban.php with body parameters: itemtype=Plugin, action=add_item, and a path-traversal sequence in the inputs parameter.
  • Path traversal sequences in the inputs parameter use dot-dot patterns with URL-encoded variants (e.g., %2e, %252e) combined with slash/backslash variants (%2f, %5c, %252f, %255c) to achieve local file inclusion.
  • The attack vector is an authenticated technician uploading a malicious PHP script and hijacking the plugin loader to execute it via local file inclusion.
  • External reference blog post detailing the patch bypass to RCE exploitation chain is available at sensepost.com.
  • ·Exploitation requires an authenticated session with at least technician-level privileges; unauthenticated detection alone is insufficient to identify this attack.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.