CVE-2025-13953 CRITICAL

CVE-2025-13953: Bypass in the authentication method of the GTT Sistema de Información Tributario application

Vendor Gtt
Product Sistema de Información Tributario
Weakness CWE-290
Published December 10, 2025
Last update December 10, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method. Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information. Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 10, 2025 Record updated