CVE-2025-41014
📋 TL;DR
This vulnerability allows unauthenticated attackers to determine valid usernames in TCMAN GIM v11 systems by exploiting a user enumeration flaw in the web service endpoint. Attackers can send specially crafted SOAP requests to discover which accounts exist, facilitating further attacks. Organizations using TCMAN GIM v11 version 20250304 are affected.
💻 Affected Systems
- TCMAN GIM
📦 What is this software?
Gim by Tcman
⚠️ Risk & Real-World Impact
Worst Case
Attackers build a complete list of valid usernames, enabling targeted credential attacks, password spraying, or social engineering campaigns that could lead to full system compromise.
Likely Case
Attackers enumerate some valid usernames and use them for credential stuffing or targeted phishing attacks against identified users.
If Mitigated
With proper network segmentation and monitoring, enumeration attempts are detected and blocked before significant user data is collected.
🎯 Exploit Status
Exploitation requires sending a simple SOAP request to the vulnerable endpoint with different usernames and observing response differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2
Restart Required: No
Instructions:
1. Monitor vendor website for security updates. 2. Apply patch when available. 3. Test in non-production environment first.
🔧 Temporary Workarounds
Block vulnerable endpoint
linuxRestrict access to /WS/PDAWebService.asmx endpoint at network or application firewall level
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -m string --string "PDAWebService.asmx" --algo bm -j DROP
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -m string --string "PDAWebService.asmx" --algo bm -j DROP
Implement rate limiting
allConfigure web server or WAF to limit requests to the vulnerable endpoint
# Apache mod_evasive example: DOSPageCount 2
# Nginx rate limiting: limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
🧯 If You Can't Patch
- Implement network segmentation to restrict access to TCMAN GIM web services to authorized users only
- Deploy a web application firewall (WAF) with rules to detect and block user enumeration patterns
🔍 How to Verify
Check if Vulnerable:
Send SOAP request to https://[target]/WS/PDAWebService.asmx with soapaction: GetLastDatePasswordChange and pda:username parameter. Compare responses for existing vs non-existing users.Check Version:
Check TCMAN GIM administration interface or consult system documentation for version informationVerify Fix Applied:
Test that the endpoint no longer returns different responses for valid vs invalid usernames, or that the endpoint is no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with different usernames
- Unusual SOAP requests to PDAWebService.asmx endpoint
- Requests with soapaction: GetLastDatePasswordChange
Network Indicators:
- High volume of SOAP requests to /WS/PDAWebService.asmx
- Requests containing 'pda:username' parameter patterns
- Traffic from unexpected sources to web service endpoints
SIEM Query:
source="web_server" AND (uri="/WS/PDAWebService.asmx" OR soapaction="GetLastDatePasswordChange") | stats count by src_ip