Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.
AnalysisAI
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.
Technical ContextAI
This is a transport layer protection weakness (CWE-319) in HCL DFXAnalytics where the application fails to enforce encrypted communication channels for network-transmitted data. Rather than a cryptographic algorithm flaw, the root cause is architectural-the application either defaults to unencrypted protocols (such as HTTP, telnet, or unencrypted database connections) or fails to mandate TLS/SSL for sensitive data flows. The high attack complexity in the CVSS vector suggests exploitation requires network positioning (e.g., ARP spoofing, BGP hijacking, or compromised network infrastructure) rather than simple passive sniffing, indicating some network segmentation or partial encryption may exist but is incomplete or bypassable.
RemediationAI
Enable encryption for all network communications in HCL DFXAnalytics by enforcing TLS 1.2 or higher for all data transport channels, including client-server connections and backend database communications. Configure the application to reject unencrypted connections and validate certificate chains. Apply any security patches from HCL that address transport layer protection-check HCL support article KB0130569 for available fixes and configuration guidance. As a compensating control, restrict network access to DFXAnalytics instances using firewall rules and network segmentation, permitting connections only from authorized administrative clients and backend systems; this reduces attack surface but does not eliminate the vulnerability if an attacker gains network access. Additionally, implement network-level encryption via VPN or IPsec for all DFXAnalytics traffic if application-level TLS cannot be immediately deployed, though this creates operational complexity and should be treated as a temporary measure pending full TLS enforcement.
More in Dfxanalytics
View allTLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensiti
Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to interce
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling
HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system log
Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the applicati
HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Securi
HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authent
Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac
Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication a
HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a netw
Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209663
GHSA-37m6-8rw8-wh8f