Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets.
AnalysisAI
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user interaction to extract sensitive secrets from source code or insecure repositories, resulting in high confidentiality compromise and complete denial of service. CVSS score 7.3 reflects network-accessible attack requiring low privileges and user interaction. No public exploit identified at time of analysis, with SSVC framework indicating no current exploitation and non-automatable attack characteristics.
Technical ContextAI
This vulnerability stems from CWE-798 (Use of Hard-coded Credentials), where sensitive authentication data or cryptographic secrets are embedded directly in the application codebase. The affected product is HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc), specifically version 1.0.0. Hardcoded credentials represent a fundamental security anti-pattern where static secrets in source code can be extracted through reverse engineering, repository access, or binary analysis. Unlike dynamic credential management systems, hardcoded secrets cannot be rotated without code changes and remain persistent across deployments. The vulnerability allows attackers who obtain source code access or discover insecurely stored repositories to retrieve these embedded secrets, potentially including database passwords, API keys, encryption keys, or service account credentials.
RemediationAI
Consult the HCL security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for vendor-recommended remediation steps and patch availability. Organizations should immediately rotate all credentials that may have been hardcoded in version 1.0.0, implement external credential management systems such as HashiCorp Vault or cloud provider secret managers, and conduct source code audits to identify all embedded secrets. Until patching is completed, restrict network access to Aftermarket DPC instances to trusted IP ranges, enforce principle of least privilege for user accounts, implement comprehensive monitoring for unauthorized access attempts, and secure all source code repositories with access controls and audit logging. Remove any publicly accessible repositories containing the vulnerable code and review commit history for exposed secrets.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209083