CVE-2025-40622 is a critical SQL injection vulnerability affecting TCMAN's GIM product version 11. The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), specifically within the 'username' parameter of the 'GetLastDatePasswordChange' endpoint. This flaw allows an unauthenticated attacker to inject arbitrary SQL statements directly into the backend database queries. Exploitation can lead to unauthorized access to sensitive data, modification of database contents, or complete deletion of information stored in the database. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact on confidentiality, integrity, and availability is high, as attackers can exfiltrate sensitive data, alter records, or disrupt services by deleting critical information. Despite the absence of known exploits in the wild at the time of publication, the critical severity score of 9.3 underscores the urgency for remediation. The vulnerability was assigned by INCIBE and published on May 6, 2025. No patches have been linked yet, indicating that organizations using TCMAN GIM v11 remain exposed until a fix is released and applied.

For European organizations, the impact of this vulnerability is significant, especially for those relying on TCMAN GIM v11 for identity management or related critical business functions. Successful exploitation could lead to large-scale data breaches involving personal data, intellectual property, or operational information, potentially violating GDPR and other data protection regulations. The ability to delete or alter database records threatens business continuity and could disrupt services, leading to financial losses and reputational damage. Given the unauthenticated nature of the attack, threat actors could exploit this vulnerability without insider access, increasing the risk of widespread compromise. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use TCMAN GIM are particularly at risk. The high severity and ease of exploitation make this vulnerability a prime target for attackers aiming to conduct espionage, sabotage, or ransomware deployment as a follow-up attack vector.

Immediate mitigation steps include implementing web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'username' parameter of the 'GetLastDatePasswordChange' endpoint. Network segmentation and strict access controls should limit exposure of the GIM system to only trusted internal networks or VPN users. Organizations should conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Until an official patch is released, consider disabling or restricting access to the vulnerable endpoint if feasible. Continuous monitoring of database queries and logs for anomalous activities indicative of SQL injection attempts is critical. Additionally, organizations should prepare incident response plans focused on rapid containment and recovery from potential data breaches or data loss. Engaging with TCMAN vendor support for timely updates and patches is essential. Finally, conducting penetration testing and code reviews can help identify and remediate similar injection flaws proactively.