• CENTRE D’URGENCE | 24/7
  • Vous êtes victime d’une cyberattaque ?
  • Contactez notre centre d’urgence cyber :
  • +33 (0)1 83 07 00 06

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

Par Mathis Evrard

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

Description

  • GLPI (Gestionnaire Libre de Parc Informatique) : is a widely used open-source solution for IT service management, including asset inventory, helpdesk, and IT infrastructure management.
  • Threat :  A vulnerability in GLPI allows an unauthenticated user to activate Debug Mode. Once enabled, this mode reveals SQL queries, errors, PHP objects, system configuration, and input/output data, providing detailed insight into the application’s behavior and potential issues—even to regular users.
  • Expectation : Debug Mode activation should be strictly restricted to administrators.

 

Vulnerability records

  • CVE ID: CVE-2025-25192
  • Access Vector: network
  • Security Risk: medium
  • Vulnerability: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-285 (Improper Authorization)
  • CVSS Base Score: 6.5
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

 

Details

A vulnerability in GLPI allows an unauthenticated user to activate Debug Mode by sending a POST request with the continuer parameter to /glpi/install/update.php. This bypasses the intended checks due to a logic flaw in the script. Once enabled, Debug Mode exposes sensitive information such as internal SQL queries, making it easier to analyze the application and identify potential vulnerabilities.

 

Proof of Concept: Debug Mode Activation

An update script is accessible at the following URL:

http://<serveur>/glpi/install/update.php

 

When trying to access http://10.0.2.15/glpi/install/update.php, we initially encounter an error preventing the execution of the update

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

 

By reviewing the source code of GLPI at /glpi/install/update.php, we identified a logic flaw that allows bypassing this protection by sending a POST request containing a continuer or from_update parameter with an arbitrary value.

 

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

 

We noticed in the source code that starting the update would activate DEBUG mode

 

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

 

We were therefore able to start the update and activate DEBUG mode through this request:

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

Once the update is completed, if we return to our basic user interface with a simple user, we can see that DEBUG mode is indeed activated.

[CVE-2025-25192] Unauthorized access to debug mode in GLPI

DEBUG mode provides access to a wealth of information, including the SQL queries executed for each action.

 

Affected versions

Versions <= 10.0.17

Solution

Update to version >= 10.0.18

Timeline

  • 2025-01-28: Initial discovery
  • 2025-02-07: First e-mail contact
  • 2025-02-10: Sent all details to vendor contact
  • 2025-02-25: Disclosure

 

Credits : Mathis Evrard, aka StayF0cus, SysDream (m.evrard -at- sysdream -dot- com)

 


Contactez-nous