Description
HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.
Published: 2026-03-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in HCL Aftermarket DPC allows an attacker to keep an active session after the account password has been changed. Because the system does not invalidate existing sessions when a password is updated, an attacker who has previously accessed the session can continue to use it, effectively taking over the account. This weakness is as CWE‑613 and enables persistent unauthorized control without requiring any additional credentials.

Affected Systems

The affected product is HCL Aftermarket DPC, version 1.0.0 as identified by the Common Platform Enumeration entry. No other vendor or product versions are listed in the provided data.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. Exploitation requires that the attacker already holds a valid session before the password change; after that, continued access is possible until the session expires or is manually terminated. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a widely known or actively exploited issue. However, the potential for undetected account takeover makes it a significant risk for systems that rely on password changes for security mitigation.

Generated by OpenCVE AI on March 26, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update or patch for HCL Aftermarket DPC that addresses session invalidation on password change.
  • If an update is not yet available, manually terminate all user sessions after a password change and enforce a mandatory re-login for active users.
  • Monitor account activity for abnormal session persistence and alert on suspicious long‑lived sessions.
  • Consult the HCL support reference for additional guidance and updates.

Generated by OpenCVE AI on March 26, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl aftermarket Dpc
Vendors & Products Hcl
Hcl aftermarket Dpc

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech aftermarket Cloud
CPEs cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech aftermarket Cloud

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.
Title HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Hcl Aftermarket Dpc
Hcltech Aftermarket Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-26T18:35:17.005Z

Reserved: 2025-08-12T06:59:56.644Z

Link: CVE-2025-55264

cve-icon Vulnrichment

Updated: 2026-03-26T18:35:13.832Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T14:16:08.157

Modified: 2026-03-26T19:52:55.690

Link: CVE-2025-55264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:25Z

Weaknesses