CVE-2025-55277

| EUVD-2025-209077 LOW
2026-03-26 HCL GHSA-34h3-v5r4-2979
2.6
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209077
CVE Published
Mar 26, 2026 - 12:45 nvd
LOW 2.6

Tags

Information Disclosure Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerability using which an attacker may make use of the exploits available across the internet and craft attacks against the application.

Analysis

HCL Aftermarket DPC version 1.0.0 contains outdated or vulnerable dependencies (CWE-1104) that expose the application to known public exploits, enabling authenticated attackers with low privileges to obtain limited information disclosure. The vulnerability requires user interaction and carries a low CVSS score of 2.6, but represents a supply chain risk where publicly available exploits targeting the embedded libraries could be weaponized against deployments. No public exploit code has been independently confirmed, and CISA has not flagged this for active exploitation.

Technical Context

This vulnerability falls under CWE-1104 (Use of Unmaintained Third Party Components), a component supply chain weakness where HCL Aftermarket DPC incorporates outdated or unpatched libraries with known vulnerabilities. The CPE designation (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) indicates the entire Aftermarket DPC product line is potentially affected. Rather than a direct code flaw in the application itself, the risk stems from reliance on third-party components that have publicly disclosed vulnerabilities available in common exploit databases and repositories. Attackers can identify these components through fingerprinting and deploy known-working attack code without discovering novel vulnerabilities.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected per ENISA EUVD-2025-209077. The CPE profile cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* indicates the broader Aftermarket DPC product family may be affected. Vendor guidance is available in HCL Security Advisory KB0129793 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793, and additional technical detail is indexed in VulnDB (https://vuldb.com/?id.353603) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2025-55277). Exact patched versions and version ranges beyond 1.0.0 are not specified in the provided input.

Remediation

Contact HCL support via the vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 to obtain a patched release and detailed component inventory. If a patched version is available, upgrade Aftermarket DPC immediately. Pending vendor remediation, implement network-level controls: restrict access to Aftermarket DPC to authenticated internal users only, enforce TLS 1.2+ for all connections, and disable unnecessary features. Conduct a software composition analysis (SCA) scan of the deployment to identify specific vulnerable third-party libraries and cross-reference them against public exploit databases. If the vendor has not released a patch, request explicit timeline for remediation and interim compensating controls such as WAF rules or reverse proxy hardening to block known exploit signatures.

Priority Score

13
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +13
POC: 0

Share

CVE-2025-55277 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy