Description
HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.
Published: 2026-03-26
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

HCL Aftermarket DPC suffers from an unrestricted file upload flaw that permits an attacker to upload and run malicious scripts, giving them full control over the server. This issue aligns with CWE-434, highlighting the absence of proper file type validation. The vulnerability can lead to compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is HCL Aftermarket DPC, version 1.0.0. No other versions are listed as impacted in the provided data.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate risk level, while the EPSS score is not available, leaving the exact likelihood of exploitation unclear. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web interface that accepts file uploads, allowing a remote attacker to upload and execute scripts without authorization.

Generated by OpenCVE AI on March 26, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to the latest HCL Aftermarket DPC version as outlined in the advisory.
  • If a patch is not immediately available, block or disable the file upload feature to prevent exploitation.
  • Verify that the server no longer accepts arbitrary files through a controlled upload test.
  • Continuously monitor the system for unauthorized file uploads or execution after remediation.

Generated by OpenCVE AI on March 26, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl aftermarket Dpc
Vendors & Products Hcl
Hcl aftermarket Dpc

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech aftermarket Cloud
CPEs cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech aftermarket Cloud

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.
Title HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Hcl Aftermarket Dpc
Hcltech Aftermarket Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-26T15:01:11.372Z

Reserved: 2025-08-12T06:59:56.644Z

Link: CVE-2025-55267

cve-icon Vulnrichment

Updated: 2026-03-26T13:39:51.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T13:16:25.953

Modified: 2026-03-26T20:35:15.703

Link: CVE-2025-55267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:28Z

Weaknesses