CVE-2025-55267

| EUVD-2025-209057 MEDIUM
2026-03-26 HCL GHSA-rh5v-5pwc-jx6p
5.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209057
CVE Published
Mar 26, 2026 - 13:01 nvd
MEDIUM 5.7

Tags

File Upload Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.

Analysis

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

Technical Context

The vulnerability resides in HCL Aftermarket DPC's file upload handling mechanism, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected product is identified via CPE as cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. The root cause is insufficient validation and restriction of uploaded file types, allowing attackers with authenticated access (PR:L per CVSS vector) to bypass server-side controls and place executable script files in web-accessible directories. Once uploaded, these scripts execute within the server's runtime context, providing command execution capabilities. The attack surface is network-accessible (AV:N) with low complexity (AC:L), indicating the vulnerability can be triggered through standard HTTP requests without specialized exploitation techniques.

Affected Products

HCL Aftermarket DPC version 1.0.0 and all prior versions are affected, as confirmed by EUVD-2025-209057. The vulnerability is catalogued under CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Further version enumeration and patch availability should be verified via the vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 and the NIST NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-55267.

Remediation

Upgrade HCL Aftermarket DPC to the patched version specified in the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. If a patched version is not yet available, implement compensating controls: enforce strict file upload validation by file extension and MIME type on the server side, restrict uploaded files to a non-executable directory outside the web root, disable script execution in upload directories via web server configuration (e.g., .htaccess or web.config directives), and limit file upload permissions to trusted users only. Additionally, implement robust input validation, antivirus scanning on uploads, and regular log monitoring for suspicious file activities.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-55267 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy