Cyber Resilience

CVE-2025-55261

High

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0032 23.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-55261 is a high-severity Improper Access Control (CWE-284) vulnerability in Hcltech Aftermarket Cloud. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-55261 is a Missing Functional Level Access Control vulnerability (CWE-284) affecting HCL Aftermarket DPC. Published on 2026-03-26 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), it enables an attacker to escalate privileges, potentially compromising the application and allowing unauthorized access to steal and manipulate data.

The vulnerability can be exploited by an unauthenticated attacker (PR:N) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation grants high confidentiality impact (C:H) through data theft and high availability impact (A:H) via application compromise, with no direct integrity impact noted in the CVSS metrics despite the potential for data manipulation described.

For mitigation details, refer to the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing functional-level access control directly enables remote exploitation for privilege escalation (T1068) on a public-facing web application (T1190), leading to unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55262Same product: Hcltech Aftermarket Cloud
CVE-2025-55271Same product: Hcltech Aftermarket Cloud
CVE-2025-55270Same product: Hcltech Aftermarket Cloud
CVE-2025-55267Same product: Hcltech Aftermarket Cloud
CVE-2025-55265Same product: Hcltech Aftermarket Cloud
CVE-2025-55275Same product: Hcltech Aftermarket Cloud
CVE-2025-55263Same product: Hcltech Aftermarket Cloud
CVE-2025-55269Same product: Hcltech Aftermarket Cloud
CVE-2024-30150Same vendor: Hcltech
CVE-2025-57130Shared CWE-284

Affected Assets

hcltech
aftermarket cloud
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for functional level access, preventing privilege escalation and unauthorized data access in HCL Aftermarket DPC.

prevent

Implements least privilege to restrict access to only necessary functions, mitigating the impact of missing access controls and blocking escalation.

prevent

Manages accounts, roles, and privileges to ensure proper assignment and prevent conditions enabling privilege escalation via missing functional controls.

References