Skip to main content

Aftermarket Dpc CVE-2025-55275

| EUVDEUVD-2025-209073 LOW
Concurrency Issues (CWE-557)
2026-03-26 HCL GHSA-5974-fx7v-4cwm
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209073
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:47 nvd
LOW 3.7

DescriptionCVE.org

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.

AnalysisAI

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated attackers with low privileges to hijack or impersonate administrator sessions through exploitation of improper concurrent session handling. The vulnerability requires user interaction and has moderate attack complexity, resulting in partial confidentiality and availability impact. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, indicating limited real-world exploitation pressure despite the administrative access implications.

Technical ContextAI

The vulnerability is classified under CWE-557 (Improper Removal of Web Cache Headers), which relates to session management and authentication bypass mechanisms. HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) is affected across its product line. The root cause involves concurrent session handling that fails to properly isolate or invalidate administrative sessions, allowing attackers who possess valid low-privilege credentials to exploit race conditions or session state inconsistencies to assume administrative privileges. This typically occurs when session tokens are not properly bound to single concurrent connections or when session invalidation across multiple concurrent contexts is not enforced.

RemediationAI

Apply the security update provided by HCL Software via their support portal (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The advisory should specify the patched version number; upgrade to that version immediately. As an interim mitigation pending patching, enforce strict session management policies including single concurrent session limits per administrator account, implement mandatory session timeout for administrative sessions, and restrict administrative access to known IP ranges or VPN endpoints. Consider implementing additional logging and alerting on concurrent administrative session attempts to detect exploitation attempts.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

CVE-2025-55271 LOW
3.1 Mar 26

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co

Share

CVE-2025-55275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy