{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-55275", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2025-08-12T07:00:17.742Z", "datePublished": "2026-03-26T12:47:08.836Z", "dateUpdated": "2026-03-26T13:21:32.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-26T12:47:08.836Z"}, "title": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-557", "description": "CWE-557: Concurrency Issues is a Category", "type": "CWE"}]}], "affected": [{"vendor": "HCL", "product": "Aftermarket DPC", "versions": [{"status": "affected", "version": "version 1.0.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user."}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:21:26.962396Z", "id": "CVE-2025-55275", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:21:32.798Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:21:26.962396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:21:29.632Z"}}], "cna": {"title": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCL", "product": "Aftermarket DPC", "versions": [{"status": "affected", "version": "version 1.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.", "supportingMedia": [{"type": "text/html", "value": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-557", "description": "CWE-557: Concurrency Issues is a Category"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-26T12:47:08.836Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55275", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:21:32.798Z", "dateReserved": "2025-08-12T07:00:17.742Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-03-26T12:47:08.836Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C71E5E64-ED4C-4763-8A74-5F9DDCFD13DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user."}], "id": "CVE-2025-55275", "lastModified": "2026-03-26T20:25:24.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "psirt@hcl.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T13:16:27.187", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-557"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Aftermarket DPC", "source": "cna", "vendor": "HCL"}, "product": "aftermarket_dpc", "vendor": "hcl"}], "analysis": {"en": {"generated_at": "2026-03-26T21:54:58.650549+00:00", "value": {"mitigation_remediation": ["Apply any available HCL patch or update that addresses the Admin Session Concurrency issue", "If no patch is available, limit the number of simultaneous sessions per user and enforce stricter session timeout policies", "Disable or tightly restrict concurrent session capabilities for administrative accounts", "Monitor admin accounts for abnormal login patterns and session spikes", "Verify with HCL support for any interim workarounds or configuration guidance"], "summary": {"action": "Apply Patch", "impact": "Session hijacking / admin impersonation"}, "threat_synthesis": {"affected_systems": "The affected product is HCL Aftermarket DPC version 1.0.0. No other vendors or versions are listed in the data.", "description_and_impact": "The vulnerability is an Admin Session Concurrency flaw that lets an attacker exploit overlapping user sessions to hijack or impersonate an administrative user. Classified as CWE\u2011557, it reveals insecure handling of session identifiers. If exploited, the attacker gains administrative privileges, allowing full read, modify, or delete capabilities over system data, configurations, or settings. The CVSS score of 3.7 reflects a low\u2011to\u2011moderate risk, indicating the flaw is not trivial but could become serious in environments where administrator sessions are not tightly controlled.", "risk_and_exploitability": "With a CVSS score of 3.7 and an unavailable EPSS value, the exploitation likelihood is not high, but the attack may still succeed if an attacker can initiate or manage concurrent sessions. Once successful, the attacker attains full administrator permissions, potentially compromising confidentiality, integrity, and availability of the entire system. The vulnerability is not listed in the CISA KEV catalog, so no known public exploits are documented yet, but the potential impact warrants vigilance."}}}}, "created": "2026-03-27T08:35:53.543356+00:00", "updated": "2026-03-27T09:28:36.415878+00:00", "vendors": ["hcl", "hcl$PRODUCT$aftermarket_dpc"]}