CVE-2025-41012: Exposing Usernames – Unauthenticated Enumeration in TCMAN GIM v11

Overview

CVE-2025-41012 describes an unauthorized access vulnerability found in TCMAN GIM v11, specifically version 20250304. This vulnerability allows an unauthenticated attacker to determine the existence of users within the system. By leveraging the pda:userId and pda:newPassword parameters in conjunction with the soapaction UnlockUser function within the /WS/PDAWebService.asmx endpoint, an attacker can probe for valid usernames without needing prior authentication.

Technical Details

The vulnerability resides in the lack of proper authentication and authorization checks within the UnlockUser function of the PDAWebService.asmx service. An attacker can craft a SOAP request containing a pda:userId parameter, essentially attempting to unlock a user’s account. The server’s response, whether positive or negative, reveals information about the existence of the user. This information disclosure constitutes a user enumeration vulnerability.

Specifically, the attacker can send a SOAP request similar to this:

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:pda="http://tempuri.org/">
           <soapenv:Header/>
           <soapenv:Body>
              <pda:UnlockUser>
                 <pda:userId>TARGET_USERNAME</pda:userId>
                 <pda:newPassword>SomePassword</pda:newPassword>
              </pda:UnlockUser>
           </soapenv:Body>
        </soapenv:Envelope>
        

By analyzing the response, the attacker can infer whether the user “TARGET_USERNAME” exists within the TCMAN GIM system.

CVSS Analysis

Currently, the CVE details report a CVSS score of N/A. This suggests that the severity has not been formally assessed or a score is not available at the time of publication. While the CVSS is unavailable, the vulnerability should be considered a security risk since it allows an attacker to enumerate valid user accounts. It increases the attack surface, making the system more vulnerable to brute-force attacks or targeted phishing campaigns.

Possible Impact

The ability to enumerate users poses several risks:

• Increased Attack Surface: Knowing valid usernames reduces the search space for brute-force password attacks, credential stuffing, and other related exploits.
• Targeted Phishing: Attackers can craft highly targeted phishing emails, increasing the likelihood of successful compromise.
• Social Engineering: Enumerated usernames can be used to gather further information through social engineering tactics.
• Privilege Escalation: Once a valid username is known, attackers may attempt to exploit other vulnerabilities to gain unauthorized access to sensitive data or system resources.

Mitigation and Patch Steps

To mitigate this vulnerability, the following steps should be taken:

• Apply the Patch: The most effective solution is to apply the security patch provided by TCMAN. Contact TCMAN support for the latest updates and patches for GIM v11.
• Restrict Access: Implement network segmentation and access control policies to limit access to the /WS/PDAWebService.asmx endpoint from untrusted networks.
• Implement Rate Limiting: Implement rate limiting on the UnlockUser function to prevent automated enumeration attempts.
• Authentication Hardening: Review and strengthen authentication mechanisms, including password complexity requirements and multi-factor authentication, where possible.
• Input Validation: Ensure robust input validation is implemented to prevent malformed or malicious SOAP requests from being processed.
• Monitor Logs: Continuously monitor system logs for suspicious activity, such as a high number of failed unlock attempts or requests originating from unusual IP addresses.

References

• INCIBE-CERT Notice: Multiple Vulnerabilities in TCMAN GIM v2
• NIST NVD CVE-2025-41012 Entry (Future, expected link)