CVE-2025-55264

| EUVD-2025-209085 MEDIUM
2026-03-26 HCL GHSA-m87p-2jxv-5xfp
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:45 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:45 euvd
EUVD-2025-209085
CVE Published
Mar 26, 2026 - 13:04 nvd
MEDIUM 5.5

Tags

Authentication Bypass Session Fixation Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.

Analysis

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.

Technical Context

The vulnerability stems from a session management implementation flaw classified under CWE-613 (Insufficient Session Expiration), where HCL Aftermarket DPC does not properly invalidate active HTTP sessions when a user changes their password. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Session tokens or cookies remain valid post-password-change because the application lacks server-side session lifecycle management tied to authentication credential events. This allows a threat actor with an existing authenticated session (established through credential compromise, phishing, or other means) to bypass the user's defensive action of password reset, maintaining unauthorized access to the account and its associated resources.

Affected Products

HCL Aftermarket DPC version 1.0.0 and potentially earlier versions are affected, as indicated by the affected version list provided by ENISA EUVD (ID EUVD-2025-209085). The product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Consult the HCL security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-55264 for the complete list of affected versions and any version-specific patch guidance.

Remediation

Apply the security patch from HCL as described in their official advisory (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The patch should address session invalidation logic to ensure all active sessions are terminated when a password change event occurs. Until patching is possible, mitigate by enforcing periodic session timeout policies (e.g., 30-60 minute inactivity windows) at the application level, implementing IP-based session pinning where feasible to detect session hijacking, and monitoring account activity logs for unexpected concurrent sessions. Additionally, require users to log out from all devices after a password change and implement multi-factor authentication (MFA) to add a second factor of control beyond session tokens.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-55264 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy