Platform
php
Component
glpi-inventory-plugin
Fixed in
1.5.1
CVE-2025-27147 describes an improper access control vulnerability affecting the GLPI Inventory Plugin. This flaw allows unauthorized users to potentially access and manipulate sensitive data managed by the plugin, impacting the overall security posture of GLPI deployments. The vulnerability affects versions of the plugin prior to 1.5.0, with a fix released in version 1.5.0.
The improper access control vulnerability in the GLPI Inventory Plugin allows an attacker to bypass security measures and access resources they are not authorized to view or modify. Given the plugin's functionality, this could include sensitive inventory data collected from agents (SNMP, files, registry, WMI), configuration details for software deployments, and potentially even access to VMWare ESX host inventory information. Successful exploitation could lead to data breaches, unauthorized configuration changes, and potentially even compromise of the underlying GLPI server if the attacker can leverage the plugin's access to execute commands or modify system settings. The blast radius extends to any systems managed by the GLPI Inventory Plugin.
CVE-2025-27147 was publicly disclosed on 2025-03-25. As of this date, it is not listed on the CISA KEV catalog. There are no publicly available proof-of-concept exploits, but the nature of the access control vulnerability suggests that it could be relatively easy to exploit once a suitable attack vector is identified. The EPSS score is likely to be medium, reflecting the potential impact and relatively straightforward exploitation path.
Exploit Status
EPSS
0.20% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27147 is to immediately upgrade the GLPI Inventory Plugin to version 1.5.0 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing stricter access controls within GLPI itself to limit the potential impact of the vulnerability. Review and restrict user permissions, ensuring that only authorized personnel have access to sensitive inventory data. While a direct WAF rule is unlikely to be effective, implementing a web application firewall (WAF) with robust access control policies can provide an additional layer of defense. After upgrading, confirm the fix by attempting to access plugin resources with a user account that should not have access.
Actualice el plugin GLPI Inventory a la versión 1.5.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de control de acceso inadecuado. La actualización se puede realizar a través del panel de administración de GLPI o descargando la nueva versión desde el sitio web oficial del plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27147 is a HIGH severity access control vulnerability affecting GLPI Inventory Plugin versions prior to 1.5.0, allowing unauthorized access to sensitive inventory data.
You are affected if you are using GLPI Inventory Plugin versions earlier than 1.5.0. Check your plugin version and upgrade immediately if necessary.
Upgrade the GLPI Inventory Plugin to version 1.5.0 or later to resolve this vulnerability. Implement stricter access controls within GLPI as a temporary measure.
As of the current disclosure date, there is no confirmed active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the official GLPI security advisories on the GLPI website for the latest information and updates regarding CVE-2025-27147.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.