CVE-2025-40668 is a high-severity authorization vulnerability identified in version 11 of TCMAN's GIM product. The vulnerability stems from an incorrect authorization check in the password change functionality exposed via the web service endpoint /PC/WebService.aspx/validateChangePasswordña. An attacker with low privilege can exploit this flaw by sending a crafted POST request containing parameters idUser, PasswordActual, PasswordNew, and PasswordNewRepeat. The key aspect enabling exploitation is that the PasswordActual parameter can be left empty, bypassing the need to provide the current password. This allows the attacker to change the password of arbitrary users without proper authorization. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system fails to enforce proper access control policies on sensitive operations. The CVSS v4.0 base score is 7.1, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and a high impact on integrity (VI:H). The vulnerability does not impact confidentiality or availability directly but compromises account integrity by allowing unauthorized password changes. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability was assigned and published by INCIBE, a recognized cybersecurity authority. This flaw could be leveraged by attackers to gain unauthorized access to user accounts, potentially escalating privileges or disrupting normal operations within organizations using TCMAN GIM v11.

For European organizations using TCMAN GIM version 11, this vulnerability poses a significant risk to account security and operational integrity. Unauthorized password changes can lead to account takeover, enabling attackers to impersonate legitimate users, access sensitive data, or manipulate system configurations. This can result in data breaches, loss of trust, and operational disruptions. Given that the vulnerability requires only low privilege and no user interaction, exploitation can be automated and executed remotely over the network, increasing the attack surface. Organizations in sectors with strict regulatory requirements for data protection, such as finance, healthcare, and critical infrastructure, may face compliance violations and reputational damage if exploited. Furthermore, the ability to change passwords without authorization could facilitate lateral movement within networks, enabling attackers to escalate privileges or deploy further malicious activities. The absence of a patch at the time of disclosure necessitates immediate risk mitigation to prevent exploitation.

1. Immediate mitigation should include restricting access to the vulnerable endpoint (/PC/WebService.aspx/validateChangePasswordña) via network controls such as firewalls or web application firewalls (WAFs) to limit exposure to trusted IP ranges only. 2. Implement strict monitoring and alerting on password change requests, especially those with empty PasswordActual parameters or originating from low-privilege accounts, to detect suspicious activity early. 3. Enforce multi-factor authentication (MFA) for all user accounts to reduce the impact of compromised credentials resulting from unauthorized password changes. 4. Conduct a thorough audit of user accounts and password change logs to identify any unauthorized modifications. 5. Coordinate with TCMAN vendor for timely patch deployment once available; meanwhile, consider temporary compensating controls such as disabling the vulnerable functionality if feasible. 6. Educate users and administrators about the risk and encourage prompt reporting of any anomalous account behavior. 7. Review and tighten authorization logic in custom integrations or extensions interacting with the GIM password change API to ensure proper validation of user privileges.