cbcvebase.
CVE-2025-24801
published 2025-03-18

CVE-2025-24801: GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
17.47%
96.8th percentile
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

Affected

4 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 0.85 < 10.0.1810.0.18
msrccbl2_python-twisted_22.10.0-1_on_cbl_mariner_2.0
msrccm1_python-twisted_20.3.0-3_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

url/glpi/marketplace/printercounters/ajax/process.php
path/glpi/marketplace/printercounters/ajax/process.php
snort
ET WEB_SPECIFIC_APPS GLPI < 10.0.17 Authenticated Remote Code Execution (CVE-2025-24801); flow:established,to_server; http.method; content:"POST"; http.uri; content:"/glpi/marketplace/printercounters/ajax/process.php"; fast_pattern; http.request_body; content:"items_id|3d|"; pcre:"/^[^\x26]*?[\x3b\x60\x7c\x24]/R"; classtype:web-application-attack; sid:2061771; rev:1;
  • Monitor for authenticated POST requests to /glpi/marketplace/printercounters/ajax/process.php — this is the specific endpoint targeted for RCE exploitation.
  • Inspect POST request bodies for the 'items_id=' parameter (URL-encoded as 'items_id|3d|') followed by shell metacharacters: semicolon (;), backtick (`), pipe (|), or dollar sign ($), indicating command injection attempts.
  • An authenticated user can upload and force the execution of *.php files on the GLPI server — monitor for unexpected PHP file uploads followed by web requests to those uploaded file paths.
  • Reference blog post for full exploitation chain details (SQL-to-RCE): blog.lexfo.fr/glpi-sql-to-rce.html
  • ·Exploitation requires prior authentication; unauthenticated scanning alone is insufficient to trigger this vulnerability. Detection logic should correlate with a valid session context.
  • ·The rule targets GLPI versions below 10.0.17 per the ET rule message, while the NVD advisory states the fix is in 10.0.18 — ensure patching targets 10.0.18 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.