Skip to main content

Aftermarket Dpc CVE-2025-55272

| EUVDEUVD-2025-209067 LOW
Information Exposure (CWE-200)
2026-03-26 HCL GHSA-9hpr-m4wx-q284
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209067
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:55 nvd
LOW 3.1

DescriptionCVE.org

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks.

AnalysisAI

HCL Aftermarket DPC discloses sensitive system and software version information through banner responses, enabling attackers to enumerate deployed instances and tailor version-specific exploits. Aftermarket DPC version 1.0.0 is confirmed affected. The vulnerability requires user interaction and high attack complexity but results in partial confidentiality loss; no public exploit has been identified at the time of analysis.

Technical ContextAI

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and manifests as a banner disclosure flaw in HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*). Banner disclosure vulnerabilities occur when application responses, error messages, or HTTP headers leak version strings, server identification, or other implementation details. In this case, HCL Aftermarket DPC exposes software identification and version metadata to unauthenticated, remote attackers, which can be passively harvested during reconnaissance phases. This information disclosure does not directly enable code execution or system compromise but significantly reduces the attack surface uncertainty that normally protects obscure or patched systems.

RemediationAI

Apply the security patch provided by HCL as documented in KB0129793 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). If immediate patching is not feasible, implement network-level mitigations by restricting remote access to HCL Aftermarket DPC management interfaces to trusted IP ranges and authenticated networks only. Deploy reverse proxy headers to suppress banner disclosure (e.g., remove Server and X-Powered-By headers), and enforce HTTPS with strong TLS configurations to prevent passive enumeration. Monitor logs for reconnaissance attempts targeting version information endpoints.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

Share

CVE-2025-55272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy