CVE-2025-55265

| EUVD-2025-209053 MEDIUM
2026-03-26 HCL GHSA-pw9r-4x84-7pxx
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209053
CVE Published
Mar 26, 2026 - 13:02 nvd
MEDIUM 6.5

Tags

Information Disclosure Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.

Analysis

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read sensitive files from the system without user interaction beyond a single click, potentially enabling reconnaissance for follow-on attacks. The vulnerability carries a CVSS score of 6.5 (Medium) with high confidentiality impact but no integrity or availability consequences. No public exploit code or active exploitation has been reported at the time of analysis.

Technical Context

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), a broad information disclosure weakness that reflects improper access controls or path traversal mechanisms in file handling logic. HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) does not implement sufficient restrictions on file enumeration or access, permitting attackers to discover and retrieve sensitive files through the network. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates the attack is network-accessible with low complexity, requires no privileges, and necessitates minimal user interaction (a single click), suggesting a direct HTTP request or client-side redirect mechanism that exposes the file discovery interface.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed vulnerable per the EUVD record (EUVD-2025-209053). The vulnerability applies to all instances of the affected version as indicated by the CPE string cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Vendor details and patch information are documented in the HCL support knowledge base at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793.

Remediation

Contact HCL Software to obtain and deploy the patched version of Aftermarket DPC beyond version 1.0.0; consult the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for specific patch version availability and deployment instructions. Until patching is completed, implement network-level access controls to restrict inbound connections to Aftermarket DPC to trusted IP ranges, disable or restrict file enumeration features if configurable, and monitor file access logs for unauthorized file discovery attempts. Consider isolating Aftermarket DPC instances to a separate network segment to limit exposure if compromised.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-55265 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy