How to fix CVE-2025-41015?

Within 24 hours: Identify all TCMAN GIM v11 instances in your environment and document network exposure; notify affected business units and restrict network access to PDAWebService.asmx if possible. Within 7 days: Deploy WAF rules to block requests to '/WS/PDAWebService.asmx' containing the 'pda:username' parameter; implement rate limiting on the GetUserQuestionAndAnswer SOAP action; enable detailed logging on affected endpoints. Within 30 days: Contact TCMAN vendor for patch availability and timeline; evaluate alternative authentication mechanisms; conduct security assessment for any compromise indicators from this vector.

Is Gim affected by CVE-2025-41015?

An unauthenticated attacker can enumerate valid user accounts in TCMAN GIM v11 (build 20250304), enabling targeted credential attacks and social engineering campaigns against your organization.

CVE-2025-41015

EUVD-2025-200245 HIGH

2025-12-02 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200245

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

CVE Published

Dec 02, 2025 - 14:16 nvd

HIGH 7.5

Description

User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.

Analysis

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

Affected Products

Affected products: Tcman Gim

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-41015 vulnerability details – vuln.today

Back

CVE-2025-41015

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-41015

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code