CVE-2025-54780 is a high-severity vulnerability affecting versions of the glpi-screenshot-plugin prior to 2.0.2. This plugin, developed by cconard96, integrates with GLPI (an open-source IT asset management and service desk software) to allow users to capture screenshots or screen recordings directly within the GLPI interface. The vulnerability is categorized under CWE-73: External Control of File Name or Path. Specifically, authenticated users can exploit the /ajax/screenshot.php endpoint to perform unauthorized file disclosure by manipulating file paths or leveraging PHP wrappers. This flaw allows attackers to read arbitrary files on the server hosting the plugin, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability does not require user interaction beyond authentication, and it can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 7.7, reflecting high severity due to the high impact on confidentiality (C:H), no impact on integrity or availability, low attack complexity (AC:L), and the requirement for low privileges (PR:L). The vulnerability has been addressed in version 2.0.2 of the plugin, but no known exploits are currently reported in the wild. The flaw's exploitation scope is significant because it can lead to a complete breach of confidentiality within affected systems, potentially facilitating further attacks or data exfiltration.

For European organizations using GLPI with the vulnerable glpi-screenshot-plugin versions, this vulnerability poses a significant risk to the confidentiality of sensitive data. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on GLPI for IT asset management and service desk operations could have sensitive internal documents, credentials, or configuration files exposed if attackers gain authenticated access. The ability to leak arbitrary files could facilitate lateral movement within networks or enable attackers to gather intelligence for more sophisticated attacks. Given the plugin’s integration with GLPI, which is widely used in Europe, the risk is amplified in environments where user authentication controls are weak or where multiple users have access to the GLPI interface. The vulnerability does not affect system integrity or availability directly but can undermine trust in IT management systems and lead to regulatory compliance issues under GDPR if personal or sensitive data is leaked.

European organizations should immediately verify the version of the glpi-screenshot-plugin deployed in their GLPI environments and upgrade to version 2.0.2 or later where the vulnerability is patched. Additionally, organizations should enforce strict access controls and limit plugin usage to trusted and necessary users only. Implementing multi-factor authentication (MFA) for GLPI access can reduce the risk of unauthorized exploitation. Network segmentation should be applied to restrict access to GLPI servers from untrusted networks. Regularly auditing GLPI logs for unusual access patterns to the /ajax/screenshot.php endpoint can help detect exploitation attempts. Organizations should also consider disabling the screenshot plugin if it is not essential to their operations. Finally, applying web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal or PHP wrapper usage attempts can provide an additional layer of defense.