CVE-2022-35914

What is Teclib GLPI?

GLPI (Gestionnaire Libre de Parc Informatique) is a free and open-source IT asset management, helpdesk, and ITSM platform developed by Teclib. It is widely deployed by enterprises, government agencies, schools, and healthcare organizations across Europe and globally to manage IT hardware inventory, software licenses, service desk tickets, and change management workflows. GLPI is often accessible from the corporate network or internet to allow employees to submit support requests, making it a common target for attackers seeking initial access to internal IT management infrastructure.

Overview

CVE-2022-35914 is a critical remote code execution vulnerability (CWE-74, CVSS 9.8) in Teclib GLPI arising from a dangerous test endpoint in the bundled third-party library htmLawed. The htmLawedTest.php file — a developer test script for the htmLawed HTML sanitization library — was inadvertently included in GLPI deployments and was accessible without authentication. The file accepts arbitrary PHP input and evaluates it, allowing unauthenticated remote code execution with the web server's privileges. GLPI fixed the issue by removing the file in version 10.0.3. CISA added this to KEV in March 2023 following active exploitation.

Affected Versions

Note: htmLawedTest.php may also be present in GLPI deployments that were upgraded rather than freshly installed — administrators should verify the file is absent regardless of current version.

Technical Details

The vulnerability (CWE-74: Injection) exists in the htmLawedTest.php test script bundled within GLPI's vendor directory as part of the htmLawed PHP library. The htmLawed library provides HTML sanitization functionality, and its test script was designed to allow developers to interactively test the library's behavior by submitting HTML input and viewing the sanitized output.

The test script accepts HTTP POST parameters containing HTML/text content and applies htmLawed processing. Critically, the script also accepts a function name parameter that is passed to PHP's dynamic function invocation mechanism. An attacker can supply the name of a PHP function that executes OS commands, combined with the command string as the function argument. When the test script processes the request, it dynamically calls the attacker-specified function with the attacker-supplied argument, triggering OS command execution with the web server's privileges.

The attack is unauthenticated, requires no prior knowledge beyond knowing the URL path to htmLawedTest.php (predictable from the GLPI installation structure), and achieves RCE in a single HTTP request.

Discovery

The vulnerability was identified by security researchers examining GLPI's bundled dependencies. The inclusion of a development test file in production software is a common supply chain security issue. A public proof-of-concept exploit was published in October 2022, significantly increasing the exploitation risk for unpatched deployments.

Exploitation Context

GLPI deployments are attractive targets because:

• GLPI is widely used in European government, education, and healthcare sectors where IT asset management is required by regulation
• IT asset management systems contain detailed inventories of all managed systems, making them valuable reconnaissance resources
• GLPI's service desk functionality gives it knowledge of IT staff identities and contact information useful for social engineering
• The unauthenticated, single-request nature of the exploit makes it trivially automatable for mass scanning campaigns

Active exploitation was observed in mass scanning campaigns that enumerated internet-accessible GLPI instances and tested for the presence of htmLawedTest.php, followed by automated exploitation where the file was found.

Remediation

1. Upgrade GLPI to 10.0.3 or later: The vulnerable htmLawedTest.php file is removed in GLPI 10.0.3. This is the primary fix.
2. Verify file removal: Even on upgraded installations, manually verify that htmLawedTest.php is not present in the GLPI installation directory (typically under vendor/htmlawed/htmlawed/ or lib/htmlawed/). Remove it if found.
3. Restrict web access: Implement web server configuration (Apache .htaccess or Nginx location blocks) to deny access to the vendor/ directory entirely, preventing future exposures of development or test files.
4. Check for compromise: If GLPI was internet-accessible before patching, search web server logs for POST requests to htmLawedTest.php. Any such requests may indicate exploitation attempts.
5. Review for webshells: Inspect the GLPI installation directory and /tmp for unexpected PHP files that may have been dropped by successful exploitation.
6. Restrict GLPI internet access: GLPI should ideally be accessible only from corporate networks, not the internet. Use a VPN for remote access if needed.