1. Home
  2. Web App Vulnerabilities
  3. How to remediate – GLPI Default Credentials
Searching...

How to remediate – GLPI Default Credentials

Contents

1. Introduction

The GLPI Default Credentials vulnerability allows attackers to gain unauthorized access to GLPI web applications by using predictable default credentials on the login form. This poses a high risk to business confidentiality, integrity, and availability as sensitive data stored within GLPI could be compromised. Systems running unconfigured or poorly configured GLPI installations are typically affected. Impact is likely to include full compromise of application data.

2. Technical Explanation

The vulnerability occurs because the GLPI web application ships with accounts using default or easily guessable credentials. Attackers can exploit this by attempting to log in with these known usernames and passwords. The scanner successfully authenticated, indicating a lack of password complexity enforcement. This is classified as CWE-16: Configuration.

  • Root cause: Use of predictable default credentials on the GLPI web application login form.
  • Exploit mechanism: An attacker attempts to authenticate using common usernames and passwords associated with GLPI, such as ‘admin’/’admin’.
  • Scope: Affects all GLPI installations that have not changed the default credentials.

3. Detection and Assessment

  • Quick checks: Access the GLPI login page (usually via web browser) and attempt to log in with ‘admin’/’admin’.
  • Scanning: Nessus plugin ID 16342, OpenVAS NVTs can detect default credentials. These are examples only.
  • Logs and evidence: Check application logs for successful logins from common usernames/passwords. Log location varies depending on GLPI configuration.
# No command available as this is a web application check. Access the login page via browser.

4. Solution / Remediation Steps

4.1 Preparation

  • Take a full backup of your GLPI database and application files. Stop the web server service if possible, but not essential.
  • Ensure you know the current administrator password (if any) for roll back purposes. A roll back plan is to restore from backup.
  • A change window may be required depending on your environment. Approval should be obtained from IT security or system owners.

4.2 Implementation

  1. Step 1: Log in to the GLPI web application as an administrator.
  2. Step 2: Navigate to User & Groups > Users.
  3. Step 3: Locate any user accounts with default or weak passwords (e.g., ‘admin’, ‘password’).
  4. Step 4: Edit each affected account and set a strong, unique password that meets your organization’s complexity requirements.
  5. Step 5: Enforce a complex password policy for all users within GLPI. This is usually found in the System Administration section.

4.3 Config or Code Example

Before

# Default password for admin account:
# Password field set to 'admin'

After

# Admin password changed to a strong, unique value:
# Password field set to a complex, randomly generated string.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege limits the impact of compromised accounts. Input validation prevents attackers from using unsafe data. Secure defaults reduce the attack surface. A regular patch cadence ensures systems are up-to-date with security fixes.

  • Practice 1: Implement least privilege by granting users only the permissions they need to perform their tasks.
  • Practice 2: Enforce a strong password policy that requires complex passwords and regular changes.

4.5 Automation (Optional)

No automation is recommended for this vulnerability due to the risk of locking out administrator accounts. Manual configuration change is preferred.

5. Verification / Validation

  • Post-fix check: Attempt to log in with ‘admin’/’admin’. Expected output is “Invalid credentials”.
  • Re-test: Re-run the quick check from Section 3, which should no longer succeed.
  • Smoke test: Verify that you can still log in with a valid administrator account and access key GLPI features (e.g., ticket management).
  • Monitoring: Monitor application logs for failed login attempts using default credentials as an indicator of ongoing attacks.
# No command available as this is a web application check. Access the login page via browser.

6. Preventive Measures and Monitoring

Update security baselines to include strong password requirements for GLPI accounts. Implement checks in CI/CD pipelines to prevent deployments with default credentials. Establish a regular patch or configuration review cycle to identify and address vulnerabilities promptly.

  • Baselines: Update your security baseline to require complex passwords for all GLPI administrator accounts.
  • Pipelines: Integrate SAST tools into your CI/CD pipeline to scan for hardcoded credentials in GLPI configurations.

7. Risks, Side Effects, and Roll Back

Changing the administrator password could result in service disruption if the new password is forgotten. Ensure you have a documented roll back procedure in place. Incorrectly configured password policies may lock out users.

  • Risk or side effect 1: Forgetting the new administrator password can lead to account lockout and service downtime. Mitigation: Document the new password securely.
  • Roll back: Restore from backup taken in Step 1 of Preparation.

8. References and Resources

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles