{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-31991", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2025-04-01T18:46:35.960Z", "datePublished": "2026-04-13T15:56:41.979Z", "dateUpdated": "2026-04-13T17:11:10.727Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-04-13T15:56:41.979Z"}, "title": "HCL DevOps Velocity is susceptible to brute-force attacks", "datePublic": "2026-04-13T15:55:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts", "type": "CWE"}]}], "affected": [{"vendor": "HCLSoftware", "product": "Velocity", "versions": [{"status": "affected", "version": "<.5.1.7"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.\u00a0 This vulnerability is fixed in 5.1.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.&nbsp; This vulnerability is fixed in 5.1.7."}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:07:08.674988Z", "id": "CVE-2025-31991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:11:10.727Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:07:08.674988Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:11:03.941Z"}}], "cna": {"title": "HCL DevOps Velocity is susceptible to brute-force attacks", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCLSoftware", "product": "Velocity", "versions": [{"status": "affected", "version": "<.5.1.7"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-13T15:55:00.000Z", "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.\u00a0 This vulnerability is fixed in 5.1.7.", "supportingMedia": [{"type": "text/html", "value": "Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.&nbsp; This vulnerability is fixed in 5.1.7.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-04-13T15:56:41.979Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31991", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:11:10.727Z", "dateReserved": "2025-04-01T18:46:35.960Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-04-13T15:56:41.979Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.\u00a0 This vulnerability is fixed in 5.1.7."}], "id": "CVE-2025-31991", "lastModified": "2026-04-17T15:18:16.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2026-04-13T16:16:24.110", "references": [{"source": "psirt@hcl.com", "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Velocity", "source": "cna", "vendor": "HCLSoftware"}, "product": "velocity", "vendor": "hclsoftware"}], "analysis": {"en": {"generated_at": "2026-04-13T18:22:36.256208+00:00", "value": {"mitigation_remediation": ["Upgrade HCL DevOps Velocity to version 5.1.7 or later to apply the vendor fix.", "If an immediate upgrade is not possible, configure additional rate limiting or account lockout policies at the application or infrastructure level.", "Monitor login attempts and enforce monitoring for suspicious activity to detect potential brute\u2011force attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Account Access via Brute\u2011Force Login"}, "threat_synthesis": {"affected_systems": "All HCL Software DevOps Velocity installations prior to version 5.1.7 are vulnerable. The vendor has released a fix in 5.1.7; no additional version details are supplied, so all earlier releases should be considered affected.", "description_and_impact": "Rate limiting for user logins is improperly enforced in HCL DevOps Velocity, allowing attackers to repeatedly attempt credentials. This flaw falls under credential misuse (CWE\u2011307) and can lead to unauthorized account access or service disruption. The CVSS score of 6.8 signals a moderate\u2011to\u2011high risk for a single system or broader deployment.", "risk_and_exploitability": "The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting that no mass exploitation is currently known. The exploitation vector is inferred to be remote through the web login interface, requiring no special privileges beyond access to the service. Although the risk is moderate, repeated brute\u2011force attempts could lead to account breaches or denial of service."}}}}, "created": "2026-04-14T16:18:52.092638+00:00", "updated": "2026-04-14T16:34:00.542521+00:00", "vendors": ["hclsoftware", "hclsoftware$PRODUCT$velocity"]}