Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network login is reachable without auth (AV:N/PR:N), but success requires many guesses and a weak/no-MFA account (AC:H); a compromised account yields confidentiality (C:H) and limited integrity (I:L), with no availability impact (A:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7.
AnalysisAI
Missing login rate-limiting in HCL DevOps Velocity (all versions before 5.1.7) lets remote attackers submit unlimited authentication attempts past the intended failed-login threshold, enabling automated brute-force and credential-stuffing against user accounts. Reported by HCL and fixed in 5.1.7, with no public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC records exploitation as none and technical impact as only partial, contrasting sharply with the vendor's 9.8 CVSS.
Technical ContextAI
The flaw is CWE-307 (Improper Restriction of Excessive Authentication Attempts): the application defines an unsuccessful-login-attempt limit but fails to enforce it, so account lockout or throttling does not trigger. HCL DevOps Velocity (formerly UrbanCode Velocity) is an enterprise value-stream-management and DevOps orchestration platform; the affected component is the authentication/login path exposed over the network. The single CPE, cpe:2.3:a:hclsoftware:velocity:*, covers all Velocity releases up to the fix, meaning the missing control is in the core product rather than an optional module.
RemediationAI
Vendor-released patch: 5.1.7 - upgrade HCL DevOps Velocity to 5.1.7 or later as the primary and only complete fix, per HCL advisory KB0130138 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138). Until the upgrade is applied, reduce brute-force exposure with compensating controls: enforce multi-factor authentication so that guessed passwords alone are insufficient (adds a login step for users), place the Velocity login endpoint behind a reverse proxy or WAF that applies per-IP/per-account request throttling and progressive delays (may block legitimate users behind shared NAT if thresholds are too tight), restrict network access to the login interface to trusted VPN/management networks (removes internet-facing exposure but limits remote convenience), and enforce a strong password policy plus monitor authentication logs for high-volume failed-login patterns to detect attempts the missing limiter would otherwise have stopped.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209421