Incorrect authentication in GTT´s group OpenSIAC
OpenSIAC, 1.0 version.
Note: the problem is limited to customers who use Cl@ve as their identification system. Customers who use OpenSIAC with other identification systems, such as VALIDe or digital certificates, are not affected by this vulnerability, which has already been resolved.
INCIBE has coordinated the publication of a critical vulnerability affecting OpenSIAC from the GTT group, a digital government platform used by public administrations to manage files, procedures and services for citizens. The vulnerability was discovered by David Manuel Herrera Rodríguez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-41064: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-287
The vulnerability has been fixed by the GTT group in version 1.2.
CVE-2025-41064: Incorrect authentication vulnerability in OpenSIAC, which could allow an attacker to impersonate a person using Cl@ve as an authentication method.
