CVE-2025-66417 Overview
CVE-2025-66417 is a critical SQL injection vulnerability affecting GLPI, a widely-used free asset and IT management software package. This vulnerability allows unauthenticated attackers to perform SQL injection attacks through the inventory endpoint, potentially leading to complete database compromise, data exfiltration, and unauthorized system access.
Critical Impact
Unauthenticated SQL injection enabling full database access, data manipulation, and potential remote code execution on vulnerable GLPI installations running versions 11.0.0 to 11.0.2.
Affected Products
- GLPI versions 11.0.0 to < 11.0.3
- glpi-project glpi
Discovery Timeline
- 2026-01-15 - CVE-2025-66417 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-66417
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), representing an improper neutralization of special elements used in SQL commands. The flaw exists in GLPI's inventory endpoint, which fails to properly sanitize user-supplied input before incorporating it into SQL queries. Since the vulnerable endpoint does not require authentication, any remote attacker with network access to the GLPI installation can exploit this vulnerability without valid credentials.
The impact is severe as successful exploitation could allow attackers to read, modify, or delete sensitive data stored in the GLPI database, including asset inventories, user credentials, configuration settings, and other organizational information. Depending on database configuration and permissions, attackers may also achieve command execution on the underlying database server.
Root Cause
The root cause of CVE-2025-66417 stems from insufficient input validation and sanitization in the inventory endpoint handler. User-controlled data is directly concatenated or interpolated into SQL queries without proper parameterization or escaping. This allows attackers to inject arbitrary SQL syntax that gets executed by the database engine with the privileges of the GLPI application's database user.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker can craft malicious HTTP requests to the inventory endpoint containing SQL injection payloads. These payloads break out of the intended query structure and inject attacker-controlled SQL statements.
The vulnerability is exploitable by sending specially crafted requests to the inventory API endpoint. Attackers may leverage various SQL injection techniques including UNION-based extraction, blind boolean-based inference, or time-based blind injection to extract database contents. For detailed technical information, refer to the GitHub Security Advisory GHSA-p467-682w-9cc9.
Detection Methods for CVE-2025-66417
Indicators of Compromise
- Unusual or malformed requests to the GLPI inventory endpoint containing SQL syntax characters such as single quotes, double dashes, UNION keywords, or semicolons
- Database error messages in web server logs indicating SQL syntax errors from the inventory endpoint
- Unexpected database queries or data access patterns in database audit logs
- Signs of data exfiltration or unauthorized database modifications
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection patterns targeting the inventory endpoint
- Enable database query logging and monitor for anomalous query patterns, especially those containing UNION statements or multiple concatenated queries
- Implement intrusion detection system (IDS) signatures for SQL injection attack patterns in HTTP traffic to GLPI servers
- Configure application-level logging to capture and alert on malformed inventory requests
Monitoring Recommendations
- Monitor access logs for the inventory endpoint, particularly from external or unexpected IP addresses
- Set up alerts for database errors originating from GLPI application queries
- Review database user activity logs for privilege escalation attempts or access to sensitive tables
- Implement network traffic analysis to detect potential data exfiltration following successful exploitation
How to Mitigate CVE-2025-66417
Immediate Actions Required
- Upgrade GLPI to version 11.0.3 or later immediately
- If immediate patching is not possible, restrict network access to the GLPI inventory endpoint using firewall rules or web server access controls
- Review database and application logs for signs of prior exploitation attempts
- Consider temporarily disabling the inventory endpoint if it is not critical to operations
Patch Information
The GLPI project has released version 11.0.3 which addresses this SQL injection vulnerability. Organizations should upgrade to this version or later as soon as possible. The security advisory and patch details are available in the official GitHub Security Advisory.
Workarounds
- Implement network segmentation to limit access to GLPI servers from untrusted networks
- Deploy a WAF with SQL injection protection rules in front of the GLPI application
- Restrict database user privileges used by GLPI to minimum required permissions
- Enable database audit logging to detect and investigate any exploitation attempts
# Example: Restrict access to inventory endpoint via Apache configuration
<Location "/glpi/front/inventory.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
