Bypass Vulnerability in GTT Tax Information System by GTT
CVE-2025-13953

9.3CRITICAL

Key Information:

Vendor: Gtt
Status: Sistema De Información Tributario
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-13953?

A critical bypass vulnerability exists in the authentication method of the GTT Tax Information System, specifically concerning Active Directory (LDAP) login. The application utilizes a local WebSocket for authentication; however, it fails to adequately validate the authenticity or origin of incoming data. This flaw enables attackers with access to the internal network or local machine to impersonate legitimate WebSocket connections, facilitating the injection of manipulated data. Exploiting this vulnerability grants unauthorized authentication, permitting attackers to masquerade as any user in the domain without needing valid credentials, thus threatening the overall confidentiality, integrity, and availability of sensitive information within the application.

Affected Version(s)

Sistema de Información Tributario All versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/bypass...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Dec 3, 2025

Credit

Julian J. Menéndez

JSON

Gtt

What is CVE-2025-13953?

Affected Version(s)

References

CVSS V4

Timeline

Credit