CVE-2025-24801 Overview
CVE-2025-24801 is an unrestricted file upload vulnerability (CWE-434) affecting GLPI, a widely-used free and open-source asset and IT management software package. This vulnerability allows an authenticated user to upload and force the execution of arbitrary *.php files located on the GLPI server, effectively enabling remote code execution within the context of the web application.
Critical Impact
Authenticated attackers can achieve remote code execution on vulnerable GLPI servers by uploading and executing malicious PHP files, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- GLPI versions prior to 10.0.18
- glpi-project glpi (all vulnerable versions)
Discovery Timeline
- 2025-03-18 - CVE-2025-24801 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2025-24801
Vulnerability Analysis
This vulnerability stems from insufficient validation of uploaded files within the GLPI application. An authenticated user with the ability to upload files can bypass security controls designed to prevent the upload of executable content. Once a malicious PHP file is uploaded to the server, the attacker can then force its execution, gaining the ability to run arbitrary code with the privileges of the web server process.
The attack requires only low-level authentication privileges, making it accessible to any user with valid credentials to the GLPI system. Since GLPI is commonly deployed in enterprise environments for IT asset management, successful exploitation could provide attackers with access to sensitive organizational data including hardware inventories, software licenses, helpdesk tickets, and network configuration information.
Root Cause
The root cause is an unrestricted file upload vulnerability (CWE-434) where the application fails to properly validate or restrict the types of files that can be uploaded by authenticated users. The lack of proper file type verification, content inspection, or execution prevention mechanisms allows PHP files to be uploaded and subsequently executed on the server.
Attack Vector
The attack is network-based and requires authenticated access to the GLPI application. An attacker with valid user credentials can:
- Authenticate to the vulnerable GLPI instance
- Locate a file upload functionality within the application
- Upload a crafted PHP file containing malicious code (such as a web shell)
- Trigger the execution of the uploaded PHP file
- Achieve code execution on the underlying server
The exploitation process leverages the web application's file handling mechanisms to store executable content in a location accessible via HTTP, where it can then be invoked by the attacker. For detailed technical information, refer to the GitHub Security Advisory GHSA-g2p3-33ff-r555.
Detection Methods for CVE-2025-24801
Indicators of Compromise
- Unexpected PHP files appearing in GLPI upload directories or document storage locations
- Web server access logs showing requests to unusual PHP file paths within the GLPI installation
- Outbound network connections originating from the GLPI web server process
- Process spawning from the web server (PHP-FPM, Apache, or Nginx worker) executing system commands
Detection Strategies
- Monitor file system changes for new PHP files in GLPI directories, particularly in upload or document storage paths
- Implement web application firewall (WAF) rules to detect PHP file uploads and suspicious POST requests
- Review authentication logs for accounts being used to upload files followed by HTTP requests to non-standard PHP endpoints
- Deploy endpoint detection and response (EDR) solutions to identify web shell activity and post-exploitation behavior
Monitoring Recommendations
- Enable verbose logging for the GLPI application and web server to capture file upload events
- Configure SIEM rules to correlate file upload activities with subsequent execution attempts
- Monitor for unusual PHP process behavior including network connections, child process spawning, and file system modifications
- Implement file integrity monitoring on GLPI installation directories to detect unauthorized changes
How to Mitigate CVE-2025-24801
Immediate Actions Required
- Upgrade GLPI to version 10.0.18 or later immediately as this version contains the security fix
- Conduct a thorough review of uploaded files on existing GLPI installations to identify any malicious PHP files
- Review authentication logs to identify any suspicious user activity that may indicate prior exploitation
- Consider temporarily restricting file upload functionality until the patch is applied if an immediate upgrade is not possible
Patch Information
The GLPI project has released version 10.0.18 which addresses this vulnerability. Organizations running vulnerable versions should upgrade as soon as possible. The security advisory is available at the GitHub Security Advisory page.
Workarounds
- Implement web server configuration to prevent PHP execution in upload directories by adding appropriate directives to block script execution
- Deploy a web application firewall (WAF) with rules to block PHP file uploads through the GLPI application
- Restrict network access to the GLPI installation to trusted IP ranges only
- Implement additional authentication controls such as multi-factor authentication to reduce the risk of credential-based attacks
# Apache configuration to disable PHP execution in upload directories
# Add to GLPI virtual host or .htaccess in files directory
<Directory /var/www/glpi/files>
php_admin_flag engine Off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
