The vulnerability identified as CVE-2025-53360 affects the pluginsGLPI Database Inventory Plugin, specifically versions earlier than 1.0.3. This plugin manages Teclib inventory agents that perform database inventories on workstations. Due to improper access control (CWE-284), any authenticated user—regardless of privilege level—can send requests directly to these agents. This lack of proper authorization checks enables users to potentially disrupt the inventory process or cause denial of service conditions by sending unauthorized commands or malformed requests. The vulnerability does not allow unauthorized access to sensitive data or modification of data, but it does impact the availability of the inventory service. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges (authenticated user). The CVSS 3.1 base score is 4.3, reflecting a medium severity level primarily due to the limited impact on confidentiality and integrity but with some availability impact. The issue was publicly disclosed on November 18, 2025, and has been addressed in pluginsGLPI databaseinventory plugin version 1.0.3, which implements proper access control mechanisms to restrict agent requests to authorized users only.

For European organizations, the primary impact of this vulnerability is the potential disruption of database inventory operations managed via the pluginsGLPI Database Inventory Plugin. This could lead to incomplete or inaccurate asset inventories, affecting IT asset management, compliance reporting, and vulnerability assessments. While it does not directly expose sensitive data or allow data manipulation, denial of service or interference with inventory agents could delay critical security and operational processes. Organizations relying heavily on GLPI for IT service management and asset tracking may experience operational inefficiencies. In regulated industries, incomplete inventories could impact compliance with data governance and security standards. However, the impact is limited to availability and does not extend to confidentiality or integrity breaches.

European organizations using pluginsGLPI with the databaseinventory plugin should immediately upgrade to version 1.0.3 or later to apply the official patch that enforces proper access control. Until patching is possible, restrict access to the GLPI platform to trusted users only and implement network segmentation to limit communication between authenticated users and inventory agents. Monitor logs for unusual or unauthorized requests to the inventory agents. Employ role-based access controls (RBAC) within GLPI to minimize the number of users with authenticated access capable of interacting with the plugin. Additionally, consider deploying Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) to detect and block anomalous requests targeting the inventory agents. Regularly audit user privileges and remove unnecessary accounts to reduce the attack surface.