Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.
AnalysisAI
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated attackers with low privileges to hijack or impersonate administrator sessions through exploitation of improper concurrent session handling. The vulnerability requires user interaction and has moderate attack complexity, resulting in partial confidentiality and availability impact. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, indicating limited real-world exploitation pressure despite the administrative access implications.
Technical ContextAI
The vulnerability is classified under CWE-557 (Improper Removal of Web Cache Headers), which relates to session management and authentication bypass mechanisms. HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) is affected across its product line. The root cause involves concurrent session handling that fails to properly isolate or invalidate administrative sessions, allowing attackers who possess valid low-privilege credentials to exploit race conditions or session state inconsistencies to assume administrative privileges. This typically occurs when session tokens are not properly bound to single concurrent connections or when session invalidation across multiple concurrent contexts is not enforced.
RemediationAI
Apply the security update provided by HCL Software via their support portal (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The advisory should specify the patched version number; upgrade to that version immediately. As an interim mitigation pending patching, enforce strict session management policies including single concurrent session limits per administrator account, implement mandatory session timeout for administrative sessions, and restrict administrative access to known IP ranges or VPN endpoints. Consider implementing additional logging and alerting on concurrent administrative session attempts to detect exploitation attempts.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209073
GHSA-5974-fx7v-4cwm