CVE-2025-40664
📋 TL;DR
CVE-2025-40664 is a missing authentication vulnerability in TCMAN GIM v11 that allows unauthenticated attackers to access user management endpoints. This enables unauthorized viewing, modification, and deletion of user accounts. Organizations using TCMAN GIM v11 are affected.
💻 Affected Systems
- TCMAN GIM
📦 What is this software?
Gim by Tcman
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user management system allowing attackers to delete all users, create administrative accounts, or lock legitimate users out of the system.
Likely Case
Unauthorized access to user data, privilege escalation by creating administrative accounts, or denial of service by deleting critical user accounts.
If Mitigated
Limited impact if network segmentation prevents external access and proper authentication controls are implemented elsewhere.
🎯 Exploit Status
Direct HTTP requests to the vulnerable endpoints without authentication are sufficient for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v11.1 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-0
Restart Required: Yes
Instructions:
1. Download the latest version from the vendor. 2. Backup current installation and data. 3. Install the updated version. 4. Restart the TCMAN GIM service. 5. Verify authentication is required for all endpoints.
🔧 Temporary Workarounds
Network Access Control
windowsRestrict access to TCMAN GIM endpoints using firewall rules or network segmentation.
# Example Windows Firewall rule: New-NetFirewallRule -DisplayName "Block TCMAN GIM" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress 0.0.0.0/0 -Action Block
Web Server Authentication
windowsImplement authentication at the web server level (IIS/ASP.NET) for the vulnerable endpoints.
# Configure authentication in web.config: <location path="frmGestionUser.aspx"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location>
🧯 If You Can't Patch
- Implement network segmentation to isolate TCMAN GIM from untrusted networks.
- Deploy a web application firewall (WAF) with rules to block unauthenticated access to the vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET/POST requests to /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser, and /frmGestionUser.aspx/DeleteUser without authentication. If they respond with data or accept requests, the system is vulnerable.Check Version:
Check the application interface or configuration files for version information. Typically visible in the web interface footer or about page.Verify Fix Applied:
Attempt the same unauthenticated requests after patching. They should return authentication errors (401/403) or redirect to login.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /frmGestionUser.aspx endpoints
- Multiple failed authentication attempts followed by successful access to user management functions
- Unusual user account creation/modification/deletion events
Network Indicators:
- HTTP traffic to /frmGestionUser.aspx endpoints without authentication headers or cookies
- POST requests to updateUser or DeleteUser from unexpected IP addresses
SIEM Query:
source="web_server" AND (url="/frmGestionUser.aspx/GetData" OR url="/frmGestionUser.aspx/updateUser" OR url="/frmGestionUser.aspx/DeleteUser") AND NOT (authentication="success" OR cookie="*session*")