Cyber Posture

CVE-2025-55261

High

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55261 is a high-severity Improper Access Control (CWE-284) vulnerability in Hcltech Aftermarket Cloud. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved authorizations for functional level access, preventing privilege escalation and unauthorized data access in HCL Aftermarket DPC.

AC-6 Least Privilege good match
prevent

Implements least privilege to restrict access to only necessary functions, mitigating the impact of missing access controls and blocking escalation.

AC-2 Account Management partial match
prevent

Manages accounts, roles, and privileges to ensure proper assignment and prevent conditions enabling privilege escalation via missing functional controls.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Missing functional-level access control directly enables remote exploitation for privilege escalation (T1068) on a public-facing web application (T1190), leading to unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.

Deeper analysisAI

CVE-2025-55261 is a Missing Functional Level Access Control vulnerability (CWE-284) affecting HCL Aftermarket DPC. Published on 2026-03-26 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), it enables an attacker to escalate privileges, potentially compromising the application and allowing unauthorized access to steal and manipulate data.

The vulnerability can be exploited by an unauthenticated attacker (PR:N) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation grants high confidentiality impact (C:H) through data theft and high availability impact (A:H) via application compromise, with no direct integrity impact noted in the CVSS metrics despite the potential for data manipulation described.

For mitigation details, refer to the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793.

Details

CWE(s)
CWE-284

Affected Products

hcltech
aftermarket cloud
1.0.0

CVEs Like This One

CVE-2025-55262Same product: Hcltech Aftermarket Cloud
CVE-2025-55271Same product: Hcltech Aftermarket Cloud
CVE-2025-55270Same product: Hcltech Aftermarket Cloud
CVE-2025-55267Same product: Hcltech Aftermarket Cloud
CVE-2025-55263Same product: Hcltech Aftermarket Cloud
CVE-2025-55265Same product: Hcltech Aftermarket Cloud
CVE-2025-55269Same product: Hcltech Aftermarket Cloud
CVE-2025-55275Same product: Hcltech Aftermarket Cloud
CVE-2025-53763Shared CWE-284
CVE-2026-20750Shared CWE-284

References