A critical SQL injection vulnerability, identified as CVE-2025-41013, has been discovered in TCMAN GIM software. This flaw allows an unauthenticated attacker to gain complete control over the application's database by sending a specially crafted web request. Successful exploitation could lead to a total compromise of data confidentiality, integrity, and availability, resulting in severe data breaches or system disruption.

The vulnerability is a classic SQL injection flaw located in the /PC/frmEPIS.aspx endpoint. The idmant parameter within a GET request is not properly sanitized before being used in a database query. An attacker can inject malicious SQL commands into this parameter, allowing them to execute arbitrary queries on the backend database, including retrieving, creating, updating, and deleting any data.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk of exploitation with significant potential impact. A successful attack could lead to a complete compromise of the database, resulting in a major data breach of sensitive information, such as customer data, financial records, or intellectual property. The ability for an attacker to modify or delete data could cripple business operations, corrupt critical information, and cause extended downtime. The resulting consequences include severe reputational damage, financial loss, and potential regulatory penalties.

Immediate Action: Immediately apply the security update provided by the vendor to patch all affected instances of TCMAN GIM. Before and after patching, closely monitor for any signs of exploitation attempts by reviewing web server and database access logs for suspicious activity related to the vulnerable endpoint.

Proactive Monitoring: Security teams should actively monitor for anomalous GET requests to the /PC/frmEPIS.aspx URL. Specifically, look for requests where the idmant parameter contains SQL keywords (e.g., SELECT, UNION, DROP, '--'), special characters, or unusually long strings. Implement alerts for multiple failed database queries or unusual database read/write activity originating from the web application server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious SQL injection patterns targeting the /PC/frmEPIS.aspx endpoint and the idmant parameter. Restrict network access to the application to only trusted IP addresses and consider taking the affected endpoint offline if it is not business-critical.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. The primary recommendation is to apply the vendor-supplied patch to all affected systems without delay. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a top-priority target for attackers. Organizations must assume it will be exploited and should treat its remediation as an emergency. If patching is delayed, the compensating controls outlined above must be implemented immediately to reduce the risk of compromise.