CVE-2025-53357 is a medium-severity vulnerability affecting the GLPI (Gestionnaire Libre de Parc Informatique) software, versions from 0.78 up to but not including 10.0.19. GLPI is an open-source IT asset and service management tool widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability is categorized under CWE-639, which relates to authorization bypass through user-controlled keys. Specifically, this flaw allows a connected (authenticated) user to manipulate or alter the reservation data of another user without proper authorization checks. This means that an attacker with legitimate access to the system can escalate their privileges to interfere with other users' reservations, potentially disrupting IT service management workflows or causing data integrity issues. The vulnerability does not require user interaction beyond authentication, has a network attack vector, and a low attack complexity. The CVSS v3.1 base score is 5.4, reflecting limited confidentiality and integrity impacts but no availability impact. The issue was fixed in GLPI version 10.0.19, and no known exploits are reported in the wild as of the publication date (July 30, 2025).

For European organizations, the impact of this vulnerability can be significant in environments where GLPI is used to manage critical IT assets and service desk operations. Unauthorized modification of reservation data can lead to operational disruptions, misallocation of IT resources, and potential compliance issues, especially in sectors with strict IT governance requirements such as finance, healthcare, and government. Confidentiality is moderately impacted as attackers can access or alter data belonging to other users, potentially exposing sensitive scheduling or asset information. Integrity is also affected since unauthorized changes can corrupt reservation records, leading to mistrust in system data and possible downstream operational errors. Although availability is not directly impacted, the indirect effects on service management efficiency could degrade organizational productivity. Given GLPI's popularity in European public administrations and medium to large enterprises, this vulnerability poses a tangible risk if not promptly addressed.

Organizations should immediately verify their GLPI version and upgrade to version 10.0.19 or later, where the vulnerability is patched. If upgrading is not immediately feasible, administrators should implement strict access controls and audit logging to monitor reservation modifications. Limiting user privileges to the minimum necessary and segregating duties can reduce the risk of exploitation. Additionally, organizations should review reservation management workflows to detect anomalies or unauthorized changes. Network segmentation and the use of VPNs or secure access gateways can further protect GLPI instances from unauthorized external access. Regular vulnerability scanning and penetration testing focused on GLPI deployments can help identify residual risks. Finally, maintaining an incident response plan that includes GLPI-related incidents will improve readiness to respond to any exploitation attempts.