Skip to main content

HCL DevOps Velocity CVE-2025-31991

| EUVDEUVD-2025-209421 CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-13 HCL
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Network login is reachable without auth (AV:N/PR:N), but success requires many guesses and a weak/no-MFA account (AC:H); a compromised account yields confidentiality (C:H) and limited integrity (I:L), with no availability impact (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 07, 2026 - 18:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 07, 2026 - 18:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 18:07 vuln.today
cvss_changed
Severity Changed
Jul 07, 2026 - 18:07 NVD
MEDIUM CRITICAL
CVSS changed
Jul 07, 2026 - 18:07 NVD
6.8 (MEDIUM) 9.8 (CRITICAL)
Analysis Generated
Apr 13, 2026 - 16:44 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 16:15 euvd
EUVD-2025-209421
Analysis Generated
Apr 13, 2026 - 16:15 vuln.today
CVE Published
Apr 13, 2026 - 15:56 nvd
MEDIUM 6.8

DescriptionNVD

Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

AnalysisAI

Missing login rate-limiting in HCL DevOps Velocity (all versions before 5.1.7) lets remote attackers submit unlimited authentication attempts past the intended failed-login threshold, enabling automated brute-force and credential-stuffing against user accounts. Reported by HCL and fixed in 5.1.7, with no public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC records exploitation as none and technical impact as only partial, contrasting sharply with the vendor's 9.8 CVSS.

Technical ContextAI

The flaw is CWE-307 (Improper Restriction of Excessive Authentication Attempts): the application defines an unsuccessful-login-attempt limit but fails to enforce it, so account lockout or throttling does not trigger. HCL DevOps Velocity (formerly UrbanCode Velocity) is an enterprise value-stream-management and DevOps orchestration platform; the affected component is the authentication/login path exposed over the network. The single CPE, cpe:2.3:a:hclsoftware:velocity:*, covers all Velocity releases up to the fix, meaning the missing control is in the core product rather than an optional module.

RemediationAI

Vendor-released patch: 5.1.7 - upgrade HCL DevOps Velocity to 5.1.7 or later as the primary and only complete fix, per HCL advisory KB0130138 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138). Until the upgrade is applied, reduce brute-force exposure with compensating controls: enforce multi-factor authentication so that guessed passwords alone are insufficient (adds a login step for users), place the Velocity login endpoint behind a reverse proxy or WAF that applies per-IP/per-account request throttling and progressive delays (may block legitimate users behind shared NAT if thresholds are too tight), restrict network access to the login interface to trusted VPN/management networks (removes internet-facing exposure but limits remote convenience), and enforce a strong password policy plus monitor authentication logs for high-volume failed-login patterns to detect attempts the missing limiter would otherwise have stopped.

Share

CVE-2025-31991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy