Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts.
AnalysisAI
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks and guess user credentials, potentially gaining unauthorized account access with low confidentiality and availability impact. The vulnerability requires user interaction and high attack complexity to exploit, but affects unauthenticated threat actors over the network. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
This vulnerability stems from inadequate password policy enforcement in HCL Aftermarket DPC, classified under CWE-521 (Weak Password Policy). The root cause involves insufficient controls on password complexity, length, or entropy requirements during user account creation and credential management. Affected systems (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) lack proper validation mechanisms that would enforce strong credential standards, allowing users to set easily guessable passwords. This authentication control gap increases susceptibility to offline dictionary attacks and online brute-force attempts against login interfaces.
RemediationAI
Consult the HCL Software security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for the exact patched version available. Until patches can be applied, enforce strong password policies at the application level by implementing mandatory password requirements (minimum length of 12+ characters, complexity requirements including uppercase, lowercase, numerals, and special characters) and account lockout mechanisms after failed login attempts. Additionally, implement network-level controls such as IP-based access restrictions, rate limiting on authentication endpoints, and monitoring for brute-force patterns to reduce attack surface while patching schedules are underway.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-521 – Weak Password Requirements
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209061