CVE-2025-55278
Published: 05 November 2025
Summary
CVE-2025-55278 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Hcl Software (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37960
Vulnerability details
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain…
more
unauthorized access to sensitive resources and perform actions with elevated privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.
Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.
Terminating sessions and network connections upon completion prevents insufficient session expiration.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.