← back
CVE-2025-27147

GLPI Inventory plugin has Improper Access Control Vulnerability

CVSS 8.2 HIGHEPSS 0.4%CWE-22CWE-552CWE-73
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.2EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Mar 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
Affected products
glpi-project · glpi-inventory-plugin

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-h6x9-jm98-cw7c