CVE-2024-27756 is a CSV injection vulnerability identified in GLPI, an open-source IT asset management software, affecting versions through 10.0.12. The vulnerability arises because GLPI allows an attacker to create an asset with a crafted title that, when exported to CSV format, injects malicious formulas or commands. This type of injection exploits how spreadsheet applications like Microsoft Excel or LibreOffice Calc interpret CSV content, potentially executing arbitrary code or commands embedded in the CSV cells. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that untrusted input is improperly handled and can lead to code injection. The CVSS v3.1 score is 8.8 (high), reflecting the network attack vector (no authentication required), low attack complexity, no privileges required, but requiring user interaction to open the malicious CSV file. The impact includes full compromise of confidentiality, integrity, and availability of affected systems if the malicious payload executes. Although no public exploits are currently known, the vulnerability poses a significant risk due to the widespread use of GLPI in managing IT assets and the common practice of exporting data to CSV for reporting or analysis. The lack of available patches at the time of reporting necessitates immediate mitigation efforts.

The potential impact of CVE-2024-27756 is substantial for organizations using GLPI for IT asset management. Successful exploitation can lead to arbitrary code execution on the victim's machine when a malicious CSV file is opened, potentially resulting in data theft, unauthorized system access, or disruption of business operations. Since GLPI is often used by IT departments and managed service providers, attackers could leverage this vulnerability to gain footholds in enterprise networks, escalate privileges, or move laterally. The compromise of asset management data could also undermine organizational security posture by corrupting or exposing sensitive infrastructure information. The requirement for user interaction (opening the CSV) limits automated exploitation but does not eliminate risk, especially in environments where CSV exports are shared frequently. The vulnerability affects confidentiality, integrity, and availability, making it a critical concern for organizations with high security requirements.

To mitigate CVE-2024-27756, organizations should first monitor GLPI vendor communications for official patches and apply them promptly once available. Until patches are released, restrict the ability to create or modify assets to trusted users only, minimizing the risk of malicious asset titles. Implement input validation and sanitization on asset titles to prevent injection of spreadsheet formulas or commands, such as disallowing characters like '=', '+', '-', '@' at the beginning of fields that will be exported to CSV. Educate users to be cautious when opening CSV files from untrusted sources and consider opening CSV files in text editors or spreadsheet applications with formula execution disabled. Additionally, employ network segmentation and endpoint protection to limit the impact of potential code execution. Regularly audit exported CSV files for suspicious content before distribution. Finally, consider alternative export formats that do not support formula execution if feasible.