Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.
AnalysisAI
CVE-2025-40670 is an incorrect authorization vulnerability in TCMAN's GIM (Gestion Integrada de Mantenimiento) v11 that allows an authenticated but unprivileged attacker to escalate privileges by creating new users with elevated permissions through an insecure API endpoint. An attacker with valid (low-privilege) credentials can POST to /PC/frmGestionUser.aspx/updateUser to arbitrarily assign administrative or other high-privilege roles to newly created accounts, resulting in complete system compromise. This vulnerability represents a critical privilege escalation risk in maintenance management systems, potentially affecting industrial and critical infrastructure environments that rely on TCMAN for asset management.
Technical ContextAI
The vulnerability exists in TCMAN GIM v11's user management API endpoint (/PC/frmGestionUser.aspx/updateUser), which implements insufficient authorization checks on the updateUser POST handler. The root cause is classified as CWE-863 (Incorrect Authorization), indicating that the application fails to enforce role-based access controls (RBAC) or attribute-based access controls (ABAC) when processing user privilege assignment requests. Rather than validating that the requesting user has administrative authority to modify user roles or create privileged accounts, the endpoint accepts and processes privilege escalation requests from any authenticated user. The ASP.NET-based endpoint architecture (indicated by .aspx extension) suggests this is a legacy or traditionally-architected web application lacking modern authorization frameworks. The vulnerability likely stems from a missing authorization check between authentication (proving who you are) and authorization (verifying what you're allowed to do), a common pattern in CWE-863 vulnerabilities where authenticated sessions are assumed to have consistent privilege levels across all endpoints.
RemediationAI
Immediate actions: (1) PATCH: Update TCMAN GIM to a patched version released by the vendor (version number to be confirmed from official TCMAN security advisory); check vendor website or contact support for available patches; (2) TEMPORARY MITIGATION (if patching is delayed): Implement network-level access controls to restrict access to /PC/frmGestionUser.aspx endpoints to authorized administrative networks only, using WAF rules or reverse proxy rules to block POST requests to updateUser from non-administrative sources; (3) ACCESS CONTROL REVIEW: Audit all user accounts created or modified in the timeframe the system was unpatched to identify any unauthorized privilege escalations; remove illegitimate accounts or reset compromised privileges; (4) MONITORING: Implement logging and alerting on updateUser POST requests, particularly those that assign high-privilege roles; monitor for rapid user creation or privilege changes; (5) LEAST PRIVILEGE ENFORCEMENT: Review and enforce the principle of least privilege in TCMAN user roles to minimize impact of future authorization flaws. No specific patch version number was provided; consult TCMAN's official security portal, vendor advisories, or contact support@tcman.com (if applicable) for patch availability and version numbers.
SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, cre
TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.a
Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploita
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
Missing authentication vulnerability in TCMAN GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotel
Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17456