EUVD-2025-209079

| CVE-2025-55261 HIGH
2026-03-26 HCL
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:45 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:45 euvd
EUVD-2025-209079
CVE Published
Mar 26, 2026 - 13:10 nvd
HIGH 8.1

Tags

Privilege Escalation Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.

Analysis

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that can compromise application integrity and confidentiality. Unauthenticated attackers can leverage this access control flaw to manipulate and exfiltrate data with user interaction required (CVSS 8.1, AV:N/AC:L/PR:N/UI:R). No public exploit has been identified at time of analysis, with CISA SSVC rating the technical impact as partial and exploitation status as none.

Technical Context

HCL Aftermarket DPC version 1.0.0 (CPE: cpe:2.3:a:hcl:aftermarket_dpc) suffers from CWE-284 (Improper Access Control), specifically missing functional level access control mechanisms. This vulnerability class occurs when an application fails to validate that users have appropriate authorization before granting access to privileged functions or resources. Unlike authentication bypass which defeats credential checks, functional level access control failures allow authenticated or unauthenticated users to invoke administrative or privileged operations by directly accessing URLs, API endpoints, or application functions that lack proper authorization enforcement at the business logic layer. The CVSS vector indicates network-accessible attack surface (AV:N) with no authentication prerequisite (PR:N), though user interaction is required (UI:R).

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed vulnerable per ENISA EUVD-2025-209079. The affected product is identified via CPE string cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* with specific version 1.0.0 listed in European Union Vulnerability Database records. HCL has published advisory details at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 and the vulnerability is cataloged in the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2025-55261.

Remediation

Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for specific patching guidance and version upgrade instructions. Patch availability details and fixed version numbers are available through the HCL support portal knowledge base article KB0129793. Until patching is completed, implement compensating controls including network segmentation to restrict access to Aftermarket DPC instances to trusted IP ranges, deploy web application firewall rules to monitor and block unauthorized function invocations, enforce strict session management and role-based access controls at infrastructure layers, and implement enhanced logging to detect privilege escalation attempts. Organizations should review audit logs for suspicious administrative function calls from low-privilege or unauthenticated sessions.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

EUVD-2025-209079 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy