CVE-2025-55269

| EUVD-2025-209061 MEDIUM
2026-03-26 HCL
4.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209061
CVE Published
Mar 26, 2026 - 13:00 nvd
MEDIUM 4.2

Tags

Authentication Bypass Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts.

Analysis

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks and guess user credentials, potentially gaining unauthorized account access with low confidentiality and availability impact. The vulnerability requires user interaction and high attack complexity to exploit, but affects unauthenticated threat actors over the network. No public exploit code or active exploitation has been identified at the time of analysis.

Technical Context

This vulnerability stems from inadequate password policy enforcement in HCL Aftermarket DPC, classified under CWE-521 (Weak Password Policy). The root cause involves insufficient controls on password complexity, length, or entropy requirements during user account creation and credential management. Affected systems (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) lack proper validation mechanisms that would enforce strong credential standards, allowing users to set easily guessable passwords. This authentication control gap increases susceptibility to offline dictionary attacks and online brute-force attempts against login interfaces.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected according to the European Union Vulnerability Database (EUVD-2025-209061). The CPE identifier cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* indicates the vulnerability potentially affects multiple versions, though version 1.0.0 is explicitly cited. HCL Software has published security advisory KB0129793 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for additional details on affected versions and remediation guidance.

Remediation

Consult the HCL Software security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for the exact patched version available. Until patches can be applied, enforce strong password policies at the application level by implementing mandatory password requirements (minimum length of 12+ characters, complexity requirements including uppercase, lowercase, numerals, and special characters) and account lockout mechanisms after failed login attempts. Additionally, implement network-level controls such as IP-based access restrictions, rate limiting on authentication endpoints, and monitoring for brute-force patterns to reduce attack surface while patching schedules are underway.

Priority Score

21
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +21
POC: 0

Share

CVE-2025-55269 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy