Skip to main content

Gim CVE-2025-40670

| EUVDEUVD-2025-17456 HIGH
Incorrect Authorization (CWE-863)
2025-06-09 cve-coordination@incibe.es
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17456
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 13:15 nvd
HIGH 8.8

DescriptionCVE.org

Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.

AnalysisAI

CVE-2025-40670 is an incorrect authorization vulnerability in TCMAN's GIM (Gestion Integrada de Mantenimiento) v11 that allows an authenticated but unprivileged attacker to escalate privileges by creating new users with elevated permissions through an insecure API endpoint. An attacker with valid (low-privilege) credentials can POST to /PC/frmGestionUser.aspx/updateUser to arbitrarily assign administrative or other high-privilege roles to newly created accounts, resulting in complete system compromise. This vulnerability represents a critical privilege escalation risk in maintenance management systems, potentially affecting industrial and critical infrastructure environments that rely on TCMAN for asset management.

Technical ContextAI

The vulnerability exists in TCMAN GIM v11's user management API endpoint (/PC/frmGestionUser.aspx/updateUser), which implements insufficient authorization checks on the updateUser POST handler. The root cause is classified as CWE-863 (Incorrect Authorization), indicating that the application fails to enforce role-based access controls (RBAC) or attribute-based access controls (ABAC) when processing user privilege assignment requests. Rather than validating that the requesting user has administrative authority to modify user roles or create privileged accounts, the endpoint accepts and processes privilege escalation requests from any authenticated user. The ASP.NET-based endpoint architecture (indicated by .aspx extension) suggests this is a legacy or traditionally-architected web application lacking modern authorization frameworks. The vulnerability likely stems from a missing authorization check between authentication (proving who you are) and authorization (verifying what you're allowed to do), a common pattern in CWE-863 vulnerabilities where authenticated sessions are assumed to have consistent privilege levels across all endpoints.

RemediationAI

Immediate actions: (1) PATCH: Update TCMAN GIM to a patched version released by the vendor (version number to be confirmed from official TCMAN security advisory); check vendor website or contact support for available patches; (2) TEMPORARY MITIGATION (if patching is delayed): Implement network-level access controls to restrict access to /PC/frmGestionUser.aspx endpoints to authorized administrative networks only, using WAF rules or reverse proxy rules to block POST requests to updateUser from non-administrative sources; (3) ACCESS CONTROL REVIEW: Audit all user accounts created or modified in the timeframe the system was unpatched to identify any unauthorized privilege escalations; remove illegitimate accounts or reset compromised privileges; (4) MONITORING: Implement logging and alerting on updateUser POST requests, particularly those that assign high-privilege roles; monitor for rapid user creation or privilege changes; (5) LEAST PRIVILEGE ENFORCEMENT: Review and enforce the principle of least privilege in TCMAN user roles to minimize impact of future authorization flaws. No specific patch version number was provided; consult TCMAN's official security portal, vendor advisories, or contact support@tcman.com (if applicable) for patch availability and version numbers.

More in Gim

View all
CVE-2025-41013 CRITICAL
9.8 Dec 02

SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, cre

CVE-2021-40850 CRITICAL
9.8 Dec 17

TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.a

CVE-2025-40625 CRITICAL
9.3 May 06

Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploita

CVE-2025-40624 CRITICAL
9.3 May 06

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2025-40623 CRITICAL
9.3 May 06

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2025-40622 CRITICAL
9.3 May 06

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2025-40621 CRITICAL
9.3 May 06

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2025-40620 CRITICAL
9.3 May 06

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2025-40664 CRITICAL
9.3 May 26

Missing authentication vulnerability in TCMAN GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotel

CVE-2025-40665 HIGH
8.7 May 26

Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is

CVE-2025-41015 HIGH
7.5 Dec 02

User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker

CVE-2025-41014 HIGH
7.5 Dec 02

User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker

Share

CVE-2025-40670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy