CVE-2025-55275

| EUVD-2025-209073 LOW
2026-03-26 HCL GHSA-5974-fx7v-4cwm
3.7
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209073
CVE Published
Mar 26, 2026 - 12:47 nvd
LOW 3.7

Tags

Information Disclosure Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.

Analysis

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated attackers with low privileges to hijack or impersonate administrator sessions through exploitation of improper concurrent session handling. The vulnerability requires user interaction and has moderate attack complexity, resulting in partial confidentiality and availability impact. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, indicating limited real-world exploitation pressure despite the administrative access implications.

Technical Context

The vulnerability is classified under CWE-557 (Improper Removal of Web Cache Headers), which relates to session management and authentication bypass mechanisms. HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) is affected across its product line. The root cause involves concurrent session handling that fails to properly isolate or invalidate administrative sessions, allowing attackers who possess valid low-privilege credentials to exploit race conditions or session state inconsistencies to assume administrative privileges. This typically occurs when session tokens are not properly bound to single concurrent connections or when session invalidation across multiple concurrent contexts is not enforced.

Affected Products

HCL Aftermarket DPC version 1.0.0 and likely earlier versions are affected, as indicated by ENISA EUVD-2025-209073. The specific product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. The vendor advisory is available at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 and additional details are documented in the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-55275.

Remediation

Apply the security update provided by HCL Software via their support portal (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The advisory should specify the patched version number; upgrade to that version immediately. As an interim mitigation pending patching, enforce strict session management policies including single concurrent session limits per administrator account, implement mandatory session timeout for administrative sessions, and restrict administrative access to known IP ranges or VPN endpoints. Consider implementing additional logging and alerting on concurrent administrative session attempts to detect exploitation attempts.

Priority Score

18
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +18
POC: 0

Share

CVE-2025-55275 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy