Cyber Resilience

CVE-2025-40625

Critical

Published: 06 May 2025

Published
06 May 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0229 85.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40625 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Tcman Gim. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-40625 is an unrestricted file upload vulnerability, tracked under CWE-434, that affects TCMAN GIM version 11. The flaw permits arbitrary files, including executable content, to be written to the server without any type or content restrictions.

An unauthenticated remote attacker can exploit the issue over the network by directly uploading a malicious file. Successful exploitation grants the attacker remote code execution with full control over the affected server, corresponding to the CVSS 9.3 rating that reflects no required authentication or user interaction.

The sole referenced advisory from INCIBE describes multiple vulnerabilities in the same product but provides no further mitigation details in the available record. The associated EPSS score has remained flat at 0.0229 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tcman
gim
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References