CVE-2025-64520 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the GLPI IT asset and service management software. Specifically, versions starting from 9.1.0 up to 10.0.20 inclusive lack proper authorization checks on API endpoints that serve knowledge base entries. An attacker with API access but without proper privileges can exploit this flaw to read all knowledge base content, which may include sensitive operational procedures, troubleshooting guides, or internal documentation. The vulnerability does not allow modification or deletion of data, nor does it impact system availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity due to high confidentiality impact but no integrity or availability impact, and requiring low privileges but no user interaction. The vulnerability was publicly disclosed on December 16, 2025, with no known exploits in the wild at the time of publication. The recommended remediation is to upgrade to GLPI version 10.0.21, where the authorization checks have been properly implemented to restrict knowledge base access to authorized users only.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive internal knowledge base information, which could aid attackers in reconnaissance or social engineering attacks. The confidentiality breach could expose operational procedures, security policies, or incident response guidelines, potentially weakening organizational security posture. While the vulnerability does not allow data modification or service disruption, the leakage of sensitive information can have downstream effects, including compliance violations under GDPR if personal data or security controls are indirectly exposed. Organizations relying on GLPI for IT asset and service management should consider the risk of insider threats or external attackers gaining API access. The impact is particularly relevant for sectors with stringent data protection requirements such as government, healthcare, and finance.

The primary mitigation is to upgrade GLPI installations to version 10.0.21 or later, where the authorization flaw is fixed. Until upgrade is possible, organizations should restrict API access strictly to trusted and authenticated users, employing network segmentation and firewall rules to limit exposure. Implement strong authentication and authorization controls around the GLPI API, including the use of API keys or tokens with minimal privileges. Monitor API access logs for unusual or unauthorized activity. Conduct regular audits of GLPI user permissions and API usage. Additionally, consider disabling the knowledge base API endpoints if not required. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation.