An observable response discrepancy in HAVELSAN Inc.'s Geographic Tracking System permits attackers to determine the existence of specific user accounts, effectively enabling system footprinting. The flaw arises because the system returns distinguishable responses when queried with valid versus invalid user identifiers, allowing an adversary to enumerate users without authentication. This user‑enumeration weakness can provide valuable information for targeted lateral movement or credential‑guessing attacks.

The vulnerability impacts the Geographic Tracking System from HAVELSAN Inc., specifically versions released before 0.0.2. Any deployment lacking an update to 0.0.2 or later remains vulnerable to user‑enumeration attacks.

The CVSS score of 9.1 classifies this flaw as a critical vulnerability, and although no EPSS score is available, the high severity indicates a substantial threat. Since the flaw can be exploited remotely by sending crafted requests to publicly accessible endpoints, it enables attackers to enumerate users with minimal effort. Although the vulnerability is not listed in CISA's KEV catalog, the potential impact on confidentiality and the ease of exploitation warrant immediate attention.