CVE-2025-40670 is an incorrect authorization vulnerability (CWE-863) found in version 11 of TCMAN's GIM product. The flaw allows an unprivileged attacker to escalate privileges by sending a crafted POST request to the endpoint /PC/frmGestionUser.aspx/updateUser. Specifically, the vulnerability enables the attacker to create new user accounts and assign them extensive privileges without proper authorization checks. This indicates a failure in the access control mechanisms within the application, where the server does not adequately verify the requester's permissions before processing user management operations. The vulnerability has a CVSS 4.0 base score of 7.1, reflecting a high severity level. The vector details show that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), and does not require authentication (AT:N) or user interaction (UI:N). The impact on confidentiality is none, but integrity is high due to unauthorized privilege assignment, and availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 9, 2025, and assigned by INCIBE. This vulnerability poses a significant risk because it allows attackers to gain elevated privileges and potentially take full control of the affected system, leading to unauthorized access, data manipulation, and further lateral movement within the network.

For European organizations using TCMAN GIM version 11, this vulnerability presents a critical risk to internal security and operational integrity. Unauthorized creation of privileged users can lead to insider-like access by attackers, enabling data breaches, sabotage, or espionage. Given that GIM is likely used for identity or user management, compromise could cascade to other connected systems, amplifying the impact. European entities in sectors such as government, finance, healthcare, and critical infrastructure that rely on TCMAN GIM for user management are particularly vulnerable. The breach of user management controls undermines compliance with GDPR and other data protection regulations, potentially resulting in legal and financial penalties. Additionally, the ease of exploitation without authentication increases the likelihood of attacks, especially if the system is exposed to the internet or accessible from less secure internal networks. The absence of known exploits in the wild currently provides a window for mitigation, but the high severity score demands urgent attention to prevent exploitation.

1. Immediate mitigation should include restricting access to the /PC/frmGestionUser.aspx/updateUser endpoint through network segmentation, firewall rules, or VPN requirements to limit exposure only to trusted administrators. 2. Implement strict monitoring and logging of user creation and privilege assignment activities to detect suspicious behavior promptly. 3. Apply compensating controls such as multi-factor authentication (MFA) for all administrative interfaces to reduce risk if unauthorized accounts are created. 4. Conduct a thorough audit of existing user accounts and privileges to identify and remediate any unauthorized or excessive permissions. 5. Engage with TCMAN vendor support to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Until a patch is released, consider deploying web application firewalls (WAF) with custom rules to detect and block unauthorized POST requests to the vulnerable endpoint. 7. Educate IT and security teams about this vulnerability to ensure rapid incident response capability. 8. Review and tighten authorization logic in custom or integrated applications interfacing with GIM to prevent privilege escalation.