Is CVE-2022-35914 patched on this host?

Certain versions of GLPI include a vulnerable version of HTMLAWED. By submitting a carefully crafted http request to a vulnerable GLPI server unauthenticated remote code execution is achieved. This TTP attempts to run code on the GLPI server. The affected versions before <= 9.5.8 and <= 10.0.2.
This week, we are releasing a CVE TTP:
  • Is CVE-2022-35914 patched on this host?

Is CVE-2022-35914 patched on this host?

GLPI is an open-source service management software. It includes a CMDB, helpdesk, financial & project management applications, and administrative features to help teams manage IT changes and business processes.

For this week's TTP Tuesday, we're releasing an unauthenticated remote code execution exploit for GLPI. This TTP demonstrates how to run arbitrary code on a vulnerable GLPI server by sending a specially crafted HTTP packet to the GLPI htmlawed module.

The vulnerability affects GLPI versions from 9.5.8 >= 10.0.2.


Execute Operator's CVE-2022-35914 TTP on each GLPI server in your environment to test if you are vulnerable.

The TTP sends a GET request to /vendor/htmlawed/htmlawed/htmLawedTest.php on localhost. The TTP will attempt to remotely execute code on the GLPI server and then parse the resulting response to confirm whether exploitation was successful. Depending on your GLPI configuration, you may need to adjust the TTP's predefined URL.


In September 2022, GLPI released a patch for GLPI 10.0.x (10.0.3) and 9.5.x ( Apply patches or upgrade to the latest release version.

The vulnerability applies to several hook functions in GLPI. Disabling individual hooked function may not prevent exploitation as these hook functions are available via callback functions like arraymap and calluserfunc. Do not rely on disablefunction on exec to patch the vulnerability.

Check out the TTP Is CVE-2022-35914 patched on this host? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:

See the latest kill chain and TTP Releases:

See our open-source repositories:

Join our community




Read, watch, and listen

Listen to our Podcast:

Read our blog:

Watch our live streams:

Watch our pre-recorded content:

Follow our team





Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Is CVE-2022-35914 patched on this host?