Multiple vulnerabilities in TCMAN's GIM
GIM v11.
INCIBE has coordinated the publication of 6 vulnerabilities of critical severity that affect GIM v11, a software tool that helps in the management of maintenance and management services on the physical assets of an organisation, which have been discovered by Pablo Pardo.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability.
- CVE-2025-40620 a CVE-2025-40624: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40625: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-434
The vulnerability has been fixed by the TCMAN team in version 1280.
CVE-2025-40620 a CVE-2025-40624: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier:
- CVE-2025-40620: ‘User’ parameter of the ‘ValidateUserAndWS’ endpoint.
- CVE-2025-40621: ‘User’ parameter of the ‘ValidateUserAndGetData’ endpoint.
- CVE-2025-40622: ‘username’ parameter of the ‘GetLastDatePasswordChange’ endpoint.
- CVE-2025-40623: ‘Sender’ and “email” parameters of the ‘createNotificationAndroid’ endpoint.
- CVE-2025-40624: ‘User’ and “email” parameters of the ‘updatePassword’ endpoint.
CVE-2025-40625: Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE).