CVE-2025-41064 is a critical improper authentication vulnerability (CWE-287) identified in version 1.0 of GTT's OpenSIAC product. OpenSIAC is a software platform that integrates with Cl@ve, a Spanish government-backed electronic identification and authentication system widely used for accessing public services. The vulnerability arises from incorrect authentication logic within OpenSIAC, which could allow an unauthenticated attacker to impersonate a legitimate user authenticated via Cl@ve. The CVSS 4.0 base score of 9.3 reflects the severity: the vulnerability is remotely exploitable (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has a high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The flaw does not require any authentication or user interaction, making exploitation straightforward if an attacker can interact with the vulnerable system. The vulnerability could enable attackers to bypass authentication controls, potentially gaining unauthorized access to sensitive personal data or administrative functions within OpenSIAC. Although no known exploits are currently reported in the wild, the critical severity and the nature of the vulnerability make it a high-risk issue that demands immediate attention. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, particularly those in Spain or entities interacting with Spanish public services, this vulnerability poses a significant risk. Since Cl@ve is a national electronic identity system used for secure access to government portals and services, exploitation could lead to unauthorized access to personal data, fraudulent transactions, or manipulation of sensitive administrative processes. This could result in severe privacy breaches, legal liabilities under GDPR, reputational damage, and disruption of public services. Organizations relying on OpenSIAC for identity verification or service integration may face operational risks and loss of trust from users. Furthermore, the broad impact on confidentiality, integrity, and availability means that attackers could not only steal data but also alter or delete critical information, potentially causing cascading effects on service delivery and compliance obligations.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to OpenSIAC instances by enforcing strict firewall rules and VPN-only access to minimize exposure to untrusted networks. 2) Implementing additional multi-factor authentication layers outside of Cl@ve integration to add defense-in-depth. 3) Conducting thorough logging and monitoring of authentication attempts and user activities to detect anomalous behavior indicative of exploitation attempts. 4) Temporarily disabling or limiting OpenSIAC functionalities that rely on Cl@ve authentication until a patch is available. 5) Engaging with GTT and relevant national cybersecurity authorities (e.g., INCIBE in Spain) for updates and guidance. 6) Reviewing and tightening identity and access management policies to ensure least privilege principles are enforced. 7) Preparing incident response plans specifically addressing potential impersonation and unauthorized access scenarios related to this vulnerability.