CVE-2025-32786 Overview
CVE-2025-32786 is a SQL injection vulnerability in the GLPI Inventory Plugin, a component that handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below contain improper neutralization of special elements used in an SQL command [CWE-89]. An unauthenticated remote attacker can exploit this flaw over the network without user interaction. The issue is fixed in version 1.5.1.
Critical Impact
An unauthenticated attacker can issue crafted requests to extract confidential data from the GLPI Inventory Plugin database, including asset, credential, and configuration records.
Affected Products
- GLPI Inventory Plugin versions 1.5.0 and earlier
- GLPI installations using the Inventory Plugin for agent data collection
- Environments relying on the plugin for network discovery and software deployment
Discovery Timeline
- 2025-11-04 - CVE-2025-32786 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-32786
Vulnerability Analysis
The GLPI Inventory Plugin processes data submitted by GLPI agents performing inventory, network discovery, and software deployment tasks. The vulnerability stems from input passed to SQL queries without proper neutralization, classified as [CWE-89]. Because the attack vector is network-based and requires no authentication or user interaction, any reachable plugin endpoint accepting agent or user-controlled input becomes a potential entry point.
The scope of impact targets confidentiality. An attacker can craft input that alters query structure to read arbitrary records from the underlying database. Integrity and availability remain unaffected according to the CVSS vector, indicating the flaw enables data extraction rather than modification or denial of service.
GLPI deployments often store sensitive operational data, including hardware inventory, installed software, network topology, and credentials used for remote inventory tasks. Exposure of this data supports follow-on reconnaissance and lateral movement against the monitored estate.
Root Cause
The root cause is improper neutralization of special elements within SQL statements constructed by the plugin. User-controlled values reach query strings without parameterization or strict validation, allowing attacker-supplied syntax to be interpreted by the database engine.
Attack Vector
The attacker sends crafted HTTP requests to plugin endpoints reachable on the network. No credentials and no user interaction are required. Successful exploitation returns sensitive records from the GLPI database. Refer to the GitHub Security Advisory GHSA-w2cp-r675-6xpq for technical details.
Detection Methods for CVE-2025-32786
Indicators of Compromise
- HTTP requests to GLPI Inventory Plugin endpoints containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in parameters
- Unusual database query patterns originating from the plugin's PHP processes
- Outbound responses from the plugin returning large or unexpected payloads to single requesters
- Web server logs showing repeated requests to inventory endpoints from a single non-agent IP address
Detection Strategies
- Inspect web server access logs for parameter values containing SQL syntax tokens directed at plugin URIs
- Enable database query logging and search for malformed or unexpected UNION, INFORMATION_SCHEMA, or boolean-based statements
- Deploy a web application firewall (WAF) with SQL injection signatures in front of the GLPI host
- Correlate authentication-free requests to plugin endpoints with high response sizes
Monitoring Recommendations
- Forward GLPI web server and MySQL/MariaDB logs to a centralized SIEM for correlation
- Alert on access to plugin endpoints from sources that are not registered GLPI agents
- Track plugin version inventory and flag hosts running versions at or below 1.5.0
How to Mitigate CVE-2025-32786
Immediate Actions Required
- Upgrade the GLPI Inventory Plugin to version 1.5.1 or later on all GLPI servers
- Restrict network access to the GLPI web interface and plugin endpoints to known agent subnets
- Review database logs and web server logs since deployment of version 1.5.0 for indicators of exploitation
- Rotate any credentials stored in or accessible through the GLPI database if compromise is suspected
Patch Information
The vendor released version 1.5.1 of the GLPI Inventory Plugin to remediate the SQL injection. Details are available in the GLPI Inventory Plugin Release 1.5.1 notes and the GLPI Inventory Plugin Changelog. Apply the update directly through the GLPI plugin manager or by replacing the plugin directory with the patched release.
Workarounds
- Place the GLPI server behind a WAF configured with SQL injection rule sets until patching is complete
- Limit inbound access to the plugin's HTTP endpoints using firewall rules or reverse proxy ACLs
- Disable the Inventory Plugin temporarily if upgrading is not immediately possible and inventory functions can be paused
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
