Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27147

CVE-2025-27147: GLPI Inventory Plugin Auth Bypass Flaw

CVE-2025-27147 is an authentication bypass flaw in GLPI Inventory Plugin that allows unauthorized access through improper access controls. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-27147 Overview

CVE-2025-27147 is an improper access control vulnerability in the GLPI Inventory Plugin. The plugin handles tasks for GLPI agents including network discovery, SNMP inventory, software deployment, VMware ESX remote inventory, and data collection from files, Windows registry, and WMI. Versions prior to 1.5.0 fail to enforce proper access checks, allowing authenticated users with elevated privileges to access resources outside their intended scope. The flaw is classified under CWE-22 (Path Traversal) and affects the confidentiality, integrity, and availability of inventory data. Version 1.5.0 fixes the vulnerability.

Critical Impact

An authenticated attacker can exploit improper access controls in the GLPI Inventory Plugin to access sensitive inventory data and impact scoped resources across the GLPI instance.

Affected Products

  • GLPI Inventory Plugin versions prior to 1.5.0
  • GLPI agents configured for network discovery and SNMP inventory
  • GLPI deployments using VMware ESX remote inventory and WMI data collection

Discovery Timeline

  • 2025-03-25 - CVE-2025-27147 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-27147

Vulnerability Analysis

The GLPI Inventory Plugin extends GLPI with agent-based tasks including SNMP-based network discovery, software deployment, ESX host remote inventory, and data collection from files, Windows registry, and WMI sources. The plugin exposes endpoints and handlers that process inventory data submitted by agents and managed by administrators.

Versions prior to 1.5.0 contain improper access control logic mapped to [CWE-22] path traversal weaknesses. The plugin fails to validate that the requesting user has authorization to access the targeted resource. An attacker with high-privilege authenticated access can leverage the flaw against a scoped component, with impact extending beyond the original security boundary.

The attack requires network access to the GLPI web interface and valid authenticated credentials. No user interaction is required to trigger the vulnerability.

Root Cause

The root cause is missing or insufficient access control checks in handlers that process inventory-related requests. The plugin does not properly validate input paths or enforce authorization boundaries between scoped resources, enabling traversal-style access to data the requester should not reach.

Attack Vector

An authenticated attacker sends crafted requests to vulnerable plugin endpoints over the network. Because the affected component does not validate authorization for the requested resource, the attacker reads inventory data, modifies limited resources, or disrupts plugin functionality. The scope change indicates that impact extends to resources managed under a different security authority than the vulnerable component.

No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory GHSA-h6x9-jm98-cw7c for additional technical context.

Detection Methods for CVE-2025-27147

Indicators of Compromise

  • Unexpected HTTP requests to GLPI Inventory Plugin endpoints from authenticated sessions outside normal administrative workflows
  • Web server log entries containing path traversal sequences such as ../ targeting plugin URLs
  • Inventory records, SNMP credentials, or deployment task data accessed by accounts without a documented business need

Detection Strategies

  • Audit GLPI authentication and authorization logs for privileged accounts accessing inventory plugin resources outside expected scopes
  • Inspect web server access logs for anomalous query parameters and path components directed at plugin handlers
  • Correlate plugin API activity with user role assignments to identify access that bypasses intended boundaries

Monitoring Recommendations

  • Forward GLPI application logs and web server logs to a centralized logging platform for correlation
  • Alert on bulk reads of inventory, SNMP, or deployment data by single accounts within short time windows
  • Track plugin version inventory across GLPI deployments and flag instances running versions prior to 1.5.0

How to Mitigate CVE-2025-27147

Immediate Actions Required

  • Upgrade the GLPI Inventory Plugin to version 1.5.0 or later on all GLPI servers
  • Review high-privilege GLPI accounts and remove unnecessary administrative rights from inventory-related profiles
  • Rotate credentials stored in or accessible through the inventory plugin, including SNMP community strings and WMI credentials

Patch Information

The maintainers fixed the vulnerability in version 1.5.0. The relevant code change is published in the GitHub commit aaeb26d. Administrators should apply the upgrade through the standard GLPI plugin installation workflow and verify the version in the GLPI plugin management interface after deployment.

Workarounds

  • Restrict network access to the GLPI web interface to trusted administrative networks until the patch is applied
  • Temporarily disable the inventory plugin in GLPI plugin management if upgrading immediately is not feasible
  • Reduce the number of accounts assigned high-privilege profiles that interact with inventory plugin functionality

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.