CVE-2026-25937 is classified under CWE-287 (Improper Authentication) and affects GLPI, an open-source asset and IT management software. The vulnerability exists in GLPI versions starting from 11.0.0 up to but not including 11.0.6. It allows a malicious actor who already possesses valid user credentials to bypass the multi-factor authentication mechanism implemented by GLPI. This bypass effectively negates the additional security layer provided by MFA, enabling attackers to gain unauthorized access to user accounts without needing the second authentication factor. The vulnerability does not require user interaction beyond credential possession and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), but it requires the attacker to have high privileges or knowledge of valid credentials (PR:H). The vulnerability impacts confidentiality and integrity severely (C:H/I:H), but does not affect availability (A:N). The flaw was addressed and fixed in GLPI version 11.0.6. No public exploits have been reported yet, but the risk remains significant given the potential for account takeover and data compromise in environments relying on GLPI for IT asset management.

The primary impact of this vulnerability is the compromise of user accounts despite the presence of MFA, which is typically considered a strong security control. Attackers who obtain or guess valid credentials can bypass MFA and gain unauthorized access to sensitive IT asset and management data stored within GLPI. This can lead to unauthorized disclosure of confidential information, manipulation or deletion of asset records, and potential lateral movement within an organization's network. Since GLPI is often used by IT departments to manage critical infrastructure and assets, exploitation could disrupt asset tracking, incident response, and IT operations. Organizations relying on GLPI for compliance or operational management may face regulatory and operational risks if this vulnerability is exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target MFA bypass vulnerabilities.

Organizations should immediately upgrade all GLPI installations to version 11.0.6 or later, where the vulnerability has been patched. In environments where immediate upgrade is not feasible, organizations should enforce strict credential hygiene, including mandatory password resets for all GLPI users and monitoring for unusual login activity. Implement network-level protections such as IP whitelisting or VPN access to restrict GLPI access to trusted networks. Additionally, consider deploying anomaly detection systems to identify suspicious authentication attempts. Review and tighten user privilege assignments within GLPI to minimize the impact of compromised accounts. Regularly audit GLPI logs for signs of unauthorized access attempts. Finally, educate users on the importance of protecting their credentials and consider integrating additional layers of security beyond GLPI's native MFA where possible.