EUVD-2025-209081

| CVE-2025-55262 HIGH
2026-03-26 HCL GHSA-2g37-4q7v-m5xx
8.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:45 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:45 euvd
EUVD-2025-209081
CVE Published
Mar 26, 2026 - 13:07 nvd
HIGH 8.3

Tags

SQLi Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.

Analysis

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.

Technical Context

HCL Aftermarket DPC version 1.0.0 (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) contains a SQL injection vulnerability allowing database manipulation through unsanitized user input. Interestingly, the CVE description maps to CWE-798 (Use of Hard-coded Credentials) rather than the expected CWE-89 (SQL Injection), suggesting the attack vector may involve exploiting static credentials to facilitate SQL injection attacks. The discrepancy between the described SQL injection and the assigned CWE-798 indicates this may be a compound vulnerability where hard-coded credentials enable subsequent SQL injection exploitation. The product appears to be a dealer parts commerce platform handling aftermarket automotive or industrial parts inventory and transaction data.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected according to EUVD-2025-209081 data. The CPE string cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* indicates the HCL vendor's aftermarket dealer parts commerce platform. The vendor has published advisory details at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 with additional reference tracking through the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2025-55262. Organizations running HCL Aftermarket DPC 1.0.0 should consider themselves affected and consult the vendor advisory immediately.

Remediation

Consult the HCL vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for official patch guidance and upgrade instructions. While specific patched version numbers are not confirmed in available intelligence, the vendor advisory should provide remediation steps and updated software releases. Until patching is completed, implement defense-in-depth controls including restricting network access to the DPC platform to trusted IP ranges only, deploying web application firewall rules to detect and block SQL injection attempts, enforcing parameterized queries and input validation at the application layer if source code access permits, and monitoring database query logs for suspicious activity. Given the CWE-798 classification suggesting hard-coded credentials, also review and rotate any static authentication credentials used by the application.

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +42
POC: 0

Share

EUVD-2025-209081 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy