CVE-2025-41015
📋 TL;DR
This vulnerability allows unauthenticated attackers to determine valid usernames in TCMAN GIM v11 systems by exploiting a user enumeration flaw in the web service endpoint. Attackers can query the system to check if specific usernames exist, which facilitates targeted attacks. Organizations using TCMAN GIM v11 version 20250304 are affected.
💻 Affected Systems
- TCMAN GIM
📦 What is this software?
Gim by Tcman
⚠️ Risk & Real-World Impact
Worst Case
Attackers build comprehensive user lists, enabling targeted credential attacks, social engineering, and privilege escalation leading to full system compromise.
Likely Case
Attackers enumerate valid usernames to conduct targeted password attacks, increasing success rates for account takeover.
If Mitigated
Limited to reconnaissance value only, with strong authentication controls preventing actual account compromise.
🎯 Exploit Status
Simple HTTP request manipulation required, no authentication needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2
Restart Required: No
Instructions:
1. Monitor vendor for patch release 2. Apply patch when available 3. Test in non-production environment first
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or rate-limit requests to /WS/PDAWebService.asmx with soapaction GetUserQuestionAndAnswer
WAF-specific configuration required
Network Access Control
allRestrict access to the vulnerable endpoint to trusted IP addresses only
firewall rules to limit access to /WS/PDAWebService.asmx
🧯 If You Can't Patch
- Implement strong password policies and multi-factor authentication
- Monitor logs for unusual authentication attempts against enumerated users
🔍 How to Verify
Check if Vulnerable:
Send SOAP request to /WS/PDAWebService.asmx with soapaction GetUserQuestionAndAnswer and pda:username parameter, observe if response differs for valid vs invalid usersCheck Version:
Check TCMAN GIM version in administration interface or configuration filesVerify Fix Applied:
Test that user enumeration no longer works - valid and invalid usernames should return identical responses📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /WS/PDAWebService.asmx with different username parameters
- SOAP requests with GetUserQuestionAndAnswer action
Network Indicators:
- HTTP POST requests to PDAWebService.asmx endpoint with username enumeration patterns
SIEM Query:
source_ip=* AND uri_path="/WS/PDAWebService.asmx" AND http_method="POST" AND (soapaction="GetUserQuestionAndAnswer" OR user_agent contains "SOAP")