CVE-2025-55272

| EUVD-2025-209067 LOW
2026-03-26 HCL GHSA-9hpr-m4wx-q284
3.1
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209067
CVE Published
Mar 26, 2026 - 12:55 nvd
LOW 3.1

Tags

Information Disclosure Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks.

Analysis

HCL Aftermarket DPC discloses sensitive system and software version information through banner responses, enabling attackers to enumerate deployed instances and tailor version-specific exploits. Aftermarket DPC version 1.0.0 is confirmed affected. The vulnerability requires user interaction and high attack complexity but results in partial confidentiality loss; no public exploit has been identified at the time of analysis.

Technical Context

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and manifests as a banner disclosure flaw in HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*). Banner disclosure vulnerabilities occur when application responses, error messages, or HTTP headers leak version strings, server identification, or other implementation details. In this case, HCL Aftermarket DPC exposes software identification and version metadata to unauthenticated, remote attackers, which can be passively harvested during reconnaissance phases. This information disclosure does not directly enable code execution or system compromise but significantly reduces the attack surface uncertainty that normally protects obscure or patched systems.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected per ENISA EUVD ID EUVD-2025-209067. The vulnerability applies broadly to the product line as indicated by the CPE (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*). Consult the vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for comprehensive version impact details and patch availability.

Remediation

Apply the security patch provided by HCL as documented in KB0129793 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). If immediate patching is not feasible, implement network-level mitigations by restricting remote access to HCL Aftermarket DPC management interfaces to trusted IP ranges and authenticated networks only. Deploy reverse proxy headers to suppress banner disclosure (e.g., remove Server and X-Powered-By headers), and enforce HTTPS with strong TLS configurations to prevent passive enumeration. Monitor logs for reconnaissance attempts targeting version information endpoints.

Priority Score

16
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +16
POC: 0

Share

CVE-2025-55272 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy