CVE-2025-41012 is a vulnerability identified in the TCMAN GIM product, version 11 (build 20250304), involving a missing authorization check (CWE-862) in the web service interface. Specifically, the vulnerability exists in the '/WS/PDAWebService.asmx' endpoint, where the 'soapaction UnlockUser' operation accepts parameters 'pda:userId' and 'pda:newPassword'. Due to improper authorization enforcement, an unauthenticated attacker can send crafted SOAP requests to this endpoint to determine if a specific user exists on the system. This user enumeration capability can be leveraged for further targeted attacks such as credential stuffing, phishing, or brute force attempts. The vulnerability does not require any authentication or user interaction, and the attack vector is network accessible (AV:N), making exploitation straightforward. The CVSS 4.0 vector indicates no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H), while integrity and availability remain unaffected. Although no public exploits have been reported yet, the high CVSS score (8.7) reflects the severity of the information disclosure risk. The vulnerability was reserved in April 2025 and published in December 2025 by INCIBE, highlighting its recent discovery. No patches are currently linked, suggesting organizations must implement interim mitigations until official fixes are released.

The primary impact of CVE-2025-41012 is the unauthorized disclosure of user existence information, which compromises confidentiality. For European organizations, this can facilitate targeted cyberattacks such as credential stuffing, social engineering, and spear-phishing campaigns by confirming valid user accounts. In sectors like finance, healthcare, and government, where TCMAN GIM might be used for identity or access management, this vulnerability could expose sensitive user data indirectly by enabling attackers to focus on legitimate accounts. The lack of authentication and ease of exploitation increase the risk of widespread scanning and enumeration attacks. Although the vulnerability does not directly affect system integrity or availability, the information gained can be a stepping stone for more damaging attacks. Organizations with large user bases or critical infrastructure relying on TCMAN GIM are particularly vulnerable to reputational damage and potential regulatory penalties under GDPR if user data confidentiality is compromised.

1. Immediately restrict access to the '/WS/PDAWebService.asmx' endpoint, especially the 'UnlockUser' SOAP action, by implementing network-level controls such as IP whitelisting or VPN-only access. 2. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious SOAP requests containing 'pda:userId' and 'pda:newPassword' parameters targeting the UnlockUser action. 3. Monitor logs for unusual patterns of user enumeration attempts, including repeated queries for different user IDs from the same source. 4. Enforce strong authentication and authorization checks on all web service endpoints, ensuring that only authorized users can invoke sensitive operations. 5. Coordinate with TCMAN vendor for timely patches or updates addressing this vulnerability and plan for rapid deployment once available. 6. Educate security teams to recognize and respond to potential reconnaissance activities stemming from this vulnerability. 7. Consider implementing rate limiting on the affected endpoint to reduce the feasibility of automated enumeration attacks.