CVE-2025-41014 is a vulnerability identified in TCMAN GIM version 11 (build 20250304) that allows an unauthenticated attacker to perform user enumeration by exploiting the 'pda:username' parameter in the SOAP web service method 'GetLastDatePasswordChange' located at '/WS/PDAWebService.asmx'. The vulnerability is classified under CWE-200, indicating an exposure of sensitive information to unauthorized actors. Specifically, the attacker can determine whether a given username exists in the system without requiring any authentication or user interaction. This is achieved by sending crafted SOAP requests and analyzing the responses to infer valid usernames. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, and limited impact confined to confidentiality (exposure of user existence information). Although no known exploits are currently reported in the wild and no official patches have been released, the vulnerability poses a risk as it can facilitate further attacks such as targeted phishing, password guessing, or brute force attacks by providing valid usernames. The vulnerability affects all versions of TCMAN GIM 11 as indicated, and the lack of authentication on the vulnerable endpoint increases the attack surface. The technical details were assigned by INCIBE and published in December 2025. The vulnerability does not impact integrity or availability directly but compromises confidentiality by leaking user existence information.

For European organizations using TCMAN GIM, this vulnerability primarily threatens the confidentiality of user information by allowing attackers to confirm valid usernames without authentication. This can significantly aid attackers in mounting targeted phishing campaigns, credential stuffing, or brute force attacks, potentially leading to unauthorized access if combined with weak password policies or other vulnerabilities. Organizations in sectors with high-value targets, such as finance, government, or critical infrastructure, may face increased risk due to the strategic value of user enumeration data. The exposure can also undermine trust in the affected systems and lead to compliance issues under data protection regulations like GDPR, which mandates protection of personal data. While the vulnerability itself does not allow direct system compromise, it lowers the barrier for attackers to escalate attacks, increasing overall organizational risk. The lack of patches and known exploits means organizations must proactively mitigate the risk to prevent exploitation.

1. Restrict access to the vulnerable SOAP endpoint '/WS/PDAWebService.asmx' by implementing network-level controls such as IP whitelisting or VPN requirements to limit exposure to trusted users only. 2. Implement rate limiting and anomaly detection on the web service to detect and block repeated requests that indicate user enumeration attempts. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SOAP requests targeting the 'GetLastDatePasswordChange' action with the 'pda:username' parameter. 4. Monitor logs for unusual access patterns or repeated failed attempts to enumerate users and respond promptly to incidents. 5. Enforce strong password policies and multi-factor authentication (MFA) to reduce the risk of credential-based attacks that could follow user enumeration. 6. Engage with TCMAN vendor support to obtain patches or updates as they become available and plan for timely deployment. 7. Conduct user awareness training to recognize phishing attempts that may leverage enumerated usernames. 8. Consider temporarily disabling or restricting the vulnerable service if it is not essential to business operations until a patch is available.