CVE-2025-55268

| EUVD-2025-209059 MEDIUM
2026-03-26 HCL
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209059
CVE Published
Mar 26, 2026 - 13:00 nvd
MEDIUM 4.3

Tags

Denial Of Service Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.

Analysis

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing resources, potentially causing denial of service to legitimate users. The vulnerability requires user interaction (UI:R per CVSS vector) and is remotely exploitable without authentication, resulting in partial availability impact. No public exploit code or active exploitation has been identified at time of analysis, though the low barrier to exploitation (AC:L) makes this a practical attack vector for resource exhaustion.

Technical Context

CVE-2025-55268 is classified under CWE-799 (Improper Control of Interaction Frequency), which describes inadequate rate limiting or request throttling mechanisms. HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) lacks sufficient input validation or request filtering to prevent an attacker from flooding the application with repeated requests. The vulnerability stems from missing or insufficient anti-spam controls that would normally enforce per-user or per-IP request quotas, connection limits, or CAPTCHA challenges. The root cause is not a flaw in an underlying library but rather incomplete implementation of resource protection mechanisms in the application's request handling layer.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected as documented in EUVD-2025-209059. The vulnerability applies universally to this product via the CPE string cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Vendor advisory and security bulletins are available through HCL support at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. Additional advisories and vulnerability details are documented on VulDB (https://vuldb.com/?id.353598) and NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2025-55268). The specific version range for all affected releases has not been disclosed beyond version 1.0.0; organizations should consult the HCL advisory for a complete list of impacted versions.

Remediation

HCL customers should consult the official vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for patch availability and recommended upgrade versions. Until a patched version is deployed, implement compensating controls: configure rate limiting at the network or load balancer level to restrict requests per source IP or user session, deploy Web Application Firewall (WAF) rules to detect and block spamming patterns, enforce request throttling with exponential backoff for repeated submissions from the same source, and monitor server resource utilization and request logs for anomalies indicating attack activity. If the application is exposed to untrusted networks, consider restricting access via IP allowlisting or VPN until patching is complete.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-55268 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy