CVE-2025-52897 is a medium-severity vulnerability affecting the GLPI (Gestionnaire Libre de Parc Informatique) software, versions 9.1.0 through 10.0.18. GLPI is a widely used free and open-source IT asset and management software. The vulnerability is classified under CWE-80, indicating improper neutralization of script-related HTML tags, commonly known as Cross-Site Scripting (XSS). Specifically, this vulnerability allows an unauthenticated attacker to craft and send malicious links via the planning feature of GLPI, which can be used to conduct phishing attacks. When a victim clicks on such a malicious link, the embedded script executes in the victim's browser context, potentially leading to the theft of sensitive information such as session cookies or credentials. The vulnerability requires no authentication (AV:N, PR:N) but does require user interaction (UI:R) since the victim must click the malicious link. The impact on confidentiality is high (C:H), while integrity and availability are not affected (I:N, A:N). The vulnerability is fixed in GLPI version 10.0.19. No known exploits are currently reported in the wild. The vulnerability also relates to CWE-601, which involves open redirect issues, possibly indicating that the malicious link could leverage redirect mechanisms to facilitate phishing. Given the nature of GLPI as an IT asset management tool, exploitation could lead to targeted phishing campaigns against IT staff or administrators, potentially enabling further compromise through social engineering.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on GLPI for IT asset and service management. Successful exploitation could lead to credential theft or session hijacking of IT personnel, which in turn could facilitate unauthorized access to internal systems or sensitive data. This is particularly critical in sectors with stringent data protection requirements such as finance, healthcare, and government institutions. The phishing vector could also be used to distribute malware or conduct further social engineering attacks within the organization. Since GLPI is often used to manage IT infrastructure, compromise of GLPI users could undermine the integrity of IT operations and incident response capabilities. The vulnerability's unauthenticated nature increases the risk as attackers do not need prior access to the system. Although no active exploits are reported, the medium CVSS score and the ease of crafting phishing links warrant proactive mitigation to prevent potential targeted attacks.

European organizations using GLPI should immediately upgrade to version 10.0.19 or later to remediate this vulnerability. Until the upgrade is applied, organizations should implement strict input validation and output encoding on the planning feature to neutralize script tags and prevent XSS payloads. Additionally, deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections or phishing URLs targeting GLPI can reduce risk. User awareness training focused on recognizing phishing attempts, especially those involving internal IT tools, is critical. Organizations should also monitor logs for unusual access patterns or phishing link distributions related to GLPI. Network segmentation can limit the impact if a compromise occurs. Finally, applying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts in browsers.