Bypass in the authentication method of the GTT Sistema de Información Tributario application
Sistema de Información Tributario.
INCIBE has coordinated the publication of a critical vulnerability affecting the GTT Tax Information System application, a technological solution that provides comprehensive tax management for the Administration, which was discovered by Julian J. Menéndez of Hispasec.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
CVE-2025-13953: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N | CWE-290
The vulnerability has been fixed by disabling the Active Directory (LDAP) authentication method. The vulnerability is no longer exploitable at this time.
CVE-2025-13953: bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method.
Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information.
Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data.
