CVE-2025-40623 is a critical SQL injection vulnerability affecting TCMAN's GIM product version 11. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), specifically in the 'Sender' and 'email' parameters of the 'createNotificationAndroid' API endpoint. This flaw allows an unauthenticated attacker to inject arbitrary SQL statements, enabling them to read, modify, or delete all data within the backend database. The vulnerability is remotely exploitable without any authentication or user interaction, as indicated by the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N). The impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the database contents, potentially leading to data breaches, data loss, or service disruption. Although no public exploits are currently known in the wild, the critical severity score of 9.3 underscores the urgent need for remediation. The vulnerability was assigned and published by INCIBE and is recognized by CISA enrichment, indicating its relevance to cybersecurity authorities. No patches have been linked yet, which may delay mitigation efforts. Organizations using TCMAN GIM v11 should consider this a high-risk threat due to the ease of exploitation and the broad scope of impact on sensitive data and system operations.

For European organizations, the impact of this vulnerability is significant. Many enterprises and public sector entities rely on TCMAN GIM for notification management, which likely involves sensitive personal data and operational information. Exploitation could lead to unauthorized access to confidential data, including personal identifiable information (PII), internal communications, or system configurations. This could result in regulatory non-compliance, especially under GDPR, leading to substantial fines and reputational damage. The ability to modify or delete database contents also threatens operational continuity, potentially disrupting critical notification services. Given the unauthenticated nature of the attack, threat actors can exploit this vulnerability remotely without insider access, increasing the risk of widespread attacks. The lack of known exploits in the wild currently provides a small window for proactive defense, but the critical severity demands immediate attention to prevent potential data breaches or service outages.

Immediate mitigation should focus on restricting access to the vulnerable 'createNotificationAndroid' endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Input validation and sanitization must be enforced on the 'Sender' and 'email' parameters to prevent injection of malicious SQL code. Employing parameterized queries or prepared statements in the backend code is essential to eliminate SQL injection risks. Organizations should monitor logs for unusual or suspicious activity targeting these parameters. Since no official patches are currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts against these endpoints. Additionally, conduct a thorough audit of database integrity and backups to prepare for potential recovery in case of compromise. Engage with TCMAN vendor support for timely updates and patches, and plan for rapid deployment once available. Finally, ensure that incident response teams are prepared to handle potential exploitation scenarios.