CVE-2025-13953

Bypass in the authentication method of the GTT Sistema de Información Tributario application

Assigner: INCIBE
Reserved: 03.12.2025 Published: 10.12.2025 Updated: 10.12.2025

Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method.

Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information.

Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	GTT
Product	Sistema de Información Tributario
Versions	Default: unaffected Version All versions is affected

Vendor

GTT

Product

Sistema de Información Tributario

Versions

Default: unaffected

Version All versions is affected

Solutions

The vulnerability has been fixed by disabling the Active Directory (LDAP) authentication method. The vulnerability is no longer exploitable at this time.

Credits

Julian J. Menéndez finder

References

Problem Types

CWE-290 Authentication Bypass by Spoofing CWE