What is the CVSS score of CVE-2025-55267?

CVE-2025-55267 has a CVSS 3.1 base score of 5.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Aftermarket Dpc are affected by CVE-2025-55267?

Organizations using HCL Aftermarket DPC should be aware of moderate risk from CVE-2025-55267, a unrestricted file upload vulnerability rated CVSS 5.7. This could allow unauthorized file access.

How to fix or mitigate CVE-2025-55267?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

Aftermarket Dpc CVE-2025-55267

EUVD-2025-209057 MEDIUM

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-26 HCL

GHSA-rh5v-5pwc-jx6p

File Upload Aftermarket Dpc

5.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 13:15 euvd

EUVD-2025-209057

Analysis Generated

Mar 26, 2026 - 13:15 vuln.today

CVE Published

Mar 26, 2026 - 13:01 nvd

MEDIUM 5.7

DescriptionNVD

HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.

AnalysisAI

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

Technical ContextAI

The vulnerability resides in HCL Aftermarket DPC's file upload handling mechanism, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected product is identified via CPE as cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. The root cause is insufficient validation and restriction of uploaded file types, allowing attackers with authenticated access (PR:L per CVSS vector) to bypass server-side controls and place executable script files in web-accessible directories. Once uploaded, these scripts execute within the server's runtime context, providing command execution capabilities. The attack surface is network-accessible (AV:N) with low complexity (AC:L), indicating the vulnerability can be triggered through standard HTTP requests without specialized exploitation techniques.

RemediationAI

Upgrade HCL Aftermarket DPC to the patched version specified in the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. If a patched version is not yet available, implement compensating controls: enforce strict file upload validation by file extension and MIME type on the server side, restrict uploaded files to a non-executable directory outside the web root, disable script execution in upload directories via web server configuration (e.g., .htaccess or web.config directives), and limit file upload permissions to trusted users only. Additionally, implement robust input validation, antivirus scanning on uploads, and regular log monitoring for suspicious file activities.

CVE-2025-55267 vulnerability details – vuln.today

Back