Skip to main content

Aftermarket Dpc CVE-2025-55262

| EUVDEUVD-2025-209081 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-03-26 HCL GHSA-2g37-4q7v-m5xx
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:45 euvd
EUVD-2025-209081
Analysis Generated
Mar 26, 2026 - 13:45 vuln.today
CVE Published
Mar 26, 2026 - 13:07 nvd
HIGH 8.3

DescriptionCVE.org

HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.

AnalysisAI

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.

Technical ContextAI

HCL Aftermarket DPC version 1.0.0 (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) contains a SQL injection vulnerability allowing database manipulation through unsanitized user input. Interestingly, the CVE description maps to CWE-798 (Use of Hard-coded Credentials) rather than the expected CWE-89 (SQL Injection), suggesting the attack vector may involve exploiting static credentials to facilitate SQL injection attacks. The discrepancy between the described SQL injection and the assigned CWE-798 indicates this may be a compound vulnerability where hard-coded credentials enable subsequent SQL injection exploitation. The product appears to be a dealer parts commerce platform handling aftermarket automotive or industrial parts inventory and transaction data.

RemediationAI

Consult the HCL vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for official patch guidance and upgrade instructions. While specific patched version numbers are not confirmed in available intelligence, the vendor advisory should provide remediation steps and updated software releases. Until patching is completed, implement defense-in-depth controls including restricting network access to the DPC platform to trusted IP ranges only, deploying web application firewall rules to detect and block SQL injection attempts, enforcing parameterized queries and input validation at the application layer if source code access permits, and monitoring database query logs for suspicious activity. Given the CWE-798 classification suggesting hard-coded credentials, also review and rotate any static authentication credentials used by the application.

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

CVE-2025-55271 LOW
3.1 Mar 26

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co

Share

CVE-2025-55262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy