cbcvebase.
CVE-2025-24799
published 2025-03-18

CVE-2025-24799: GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.18%
99.7th percentile
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 10.0.0 < 10.0.1810.0.18

Detection & IOCsextracted from sources · hover to see the quote

command', IF((1=1),(select sleep(7)),1), 0, 0, 0, 0, 0, 0);#
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Pre-auth SQL Injection (CVE-2025-24799)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/xml"; http.request_body; content:"|3c|deviceid|3e|"; fast_pattern; pcre:"/^[^\x3c]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,blog.lexfo.fr/glpi-sql-to-rce.html; reference:cve,2025-24799; classtype:web-application-attack; sid:2060814; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_12, cve CVE_2025_24799, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
ET WEB_SPECIFIC_APPS GLPI $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI < 10.0.17 Pre-Auth SQL Injection (CVE-2025-24799)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/xml"; http.request_body; content:"|3c|deviceid|3e|"; fast_pattern; pcre:"/^[^\x3c]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER|SLEEP))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/R"; reference:url,blog.lexfo.fr/glpi-sql-to-rce.html; reference:cve,2025-24799; classtype:web-application-attack; sid:2061770; rev:1;
  • The SQLi payload is delivered via POST request with Content-Type application/xml to the GLPI inventory endpoint; the injected SQL is embedded inside a SimpleXMLElement body, detectable by the presence of the <deviceid> tag (hex |3c|deviceid|3e|) alongside SQL keywords.
  • The Metasploit module targets the GLPI inventory plugin endpoint; the exploit requires the GLPI Inventory plugin to be installed/enabled and 'Enable Inventory' to be checked in administration configuration.
  • Time-based blind SQLi detection: look for slow responses (>=7 seconds) to POST requests returning HTTP 200 with Content-Type application/xml and body containing 'ok' and 'REPLY>'.
  • The dominant exploitation source IP (193.24.123.42, PROSPERO OOO AS200593) was observed sending 200 sessions targeting GLPI CVE-2025-24799 and rotates through 300+ unique user agent strings; it does not appear on widely circulated IOC lists.
  • 85% of exploitation sessions use OAST DNS callbacks to verify blind RCE/SQLi execution without direct response; monitor for unexpected outbound DNS queries from GLPI servers to unknown/random subdomains.
  • ·Exploitation requires the GLPI Inventory plugin to be installed and enabled, AND the 'Enable Inventory' option to be active in administration; instances without this configuration are not vulnerable via this vector.
  • ·The vulnerability is fixed in GLPI 10.0.18; instances running 10.0.17 and below are affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.