Skip to main content

HCL DFMPro CVE-2025-59866

LOW
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-07-17 HCL
3.3
CVSS 3.1 · Vendor: HCL

Severity by source

Vendor (HCL) PRIMARY
3.3 LOW
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
7.5 HIGH

Successful exploitation yields arbitrary code execution as a privileged user (S:C, C:H/I:H/A:H); AC:H and UI:R reflect timing dependency on admin running installer.

3.1 AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 18:16 vuln.today

DescriptionCVE.org

The HCL DFMPro, DFXAnalytics and DFXServer installers are affected by ‘Insecure file permissions Leading to Privilege Escalation’ vulnerability, which enables any logged-in non-administrative user to overwrite or replace the executable file with a malicious binary.

AnalysisAI

Insecure file permissions on the HCL DFMPro (for CATIA), DFXAnalytics, and DFXServer installer executables allow any locally authenticated non-administrative user to overwrite or replace those binaries with malicious code. When a privileged user subsequently runs the tampered installer - during installation, upgrade, or reinstallation - the attacker's binary executes in the elevated context, completing a local privilege escalation. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor-reported CVSS 3.3 score materially understates the potential impact of a successful exploitation scenario.

Technical ContextAI

CWE-732 (Incorrect Permission Assignment for Critical Resource) describes the root cause: the affected HCL installer binaries are stored with file-system ACLs that grant write or modify rights to non-administrative local users. On Windows - the typical deployment platform for CATIA-integrated tooling - this manifests as NTFS permissions allowing any authenticated user (Users group) to overwrite executables that should be restricted to administrators. The affected products are HCL DFMPro for CATIA (cpe:2.3:a:hclsoftware:dfmpro_for_catia), HCL DFXAnalytics (cpe:2.3:a:hclsoftware:dfxanalytics), and HCL DFXServer (cpe:2.3:a:hclsoftware:dfxserver). This is a classical binary planting or installer hijacking pattern, exploitable without any vulnerability in the application's runtime logic.

RemediationAI

Consult the HCL advisory KB0132365 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132365 to obtain patched installer versions; an exact fix version is not independently confirmed from the available reference data, so direct review of that article is required. As an immediate compensating control, restrict NTFS permissions on the directories containing these installer executables so that only the local Administrators group and SYSTEM account hold write or modify rights - removing any permissions granted to the Users or Authenticated Users groups. Installer binaries should be removed from end-user-accessible locations immediately after deployment and stored in protected administrative shares. Deploy a file integrity monitoring (FIM) solution against installer directories to detect unauthorized binary replacement. These controls are effective but add operational overhead to the software update workflow, requiring administrators to stage installers from protected locations at update time.

Share

CVE-2025-59866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy