CVE-2026-25937 is a security vulnerability affecting GLPI, a free Asset and IT management software package. This vulnerability allows a malicious actor possessing a user's credentials to bypass Multi-Factor Authentication (MFA) and gain unauthorized access to their account. The vulnerability affects GLPI versions 11.0.0 through 11.0.5, and a fix is available in version 11.0.6.
Successful exploitation of CVE-2026-25937 allows an attacker to completely compromise a user's GLPI account, effectively gaining access to all data and functionalities associated with that account. This includes the ability to view, modify, and delete assets, users, and other critical IT management information. The impact is particularly severe in environments where GLPI is used for sensitive data management or critical infrastructure oversight. Lateral movement within the network is possible if the compromised account has elevated privileges or access to other systems. The blast radius extends to any data or systems accessible through the compromised GLPI account.
CVE-2026-25937 was publicly disclosed on 2026-03-17. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 6.5 (Medium) indicates a moderate risk level, suggesting that exploitation is possible but not highly probable without specific knowledge of user credentials.
Organizations heavily reliant on GLPI for asset and IT management are at significant risk. Specifically, those using GLPI versions 11.0.0 through 11.0.5 and lacking robust password policies or MFA implementations are particularly vulnerable. Shared hosting environments where multiple users share a single GLPI instance also face increased risk.
• php: Examine GLPI application logs for unusual authentication attempts or successful logins from unexpected IP addresses.
grep "authentication failed" /var/log/glpi/application.log• php: Check for unauthorized modifications to user accounts or asset records within GLPI.
# (Requires GLPI CLI access)
glpi-cli user:list --all | grep -i "unauthorized"• generic web: Monitor GLPI login endpoints for suspicious activity, such as repeated failed login attempts followed by a successful login. • generic web: Review GLPI access logs for unusual user agent strings or requests from unfamiliar locations.
disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25937 is to immediately upgrade GLPI to version 11.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter password policies and reviewing user access controls to limit the potential impact of a compromised account. While not a direct fix, enabling more robust MFA methods (e.g., hardware tokens, biometric authentication) can provide an additional layer of security. After upgrading, verify the fix by attempting to authenticate with known valid credentials and confirming that MFA is enforced as expected.
将GLPI更新到版本11.0.6或更高版本。此版本修复了MFA绕过漏洞。可以通过GLPI的管理面板进行更新,或者从官方网站下载最新版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25937 is a medium-severity vulnerability in GLPI versions 11.0.0 through 11.0.5 that allows attackers with user credentials to bypass Multi-Factor Authentication (MFA) and steal accounts.
You are affected if you are running GLPI versions 11.0.0 through 11.0.5 and have not yet upgraded to version 11.0.6 or later.
The fix is to upgrade GLPI to version 11.0.6 or later. This resolves the MFA bypass vulnerability.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the official GLPI security advisory for detailed information and updates: [https://glpi.net/security](https://glpi.net/security)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。