Cyber Resilience

CVE-2025-55278

High

Published: 05 November 2025

Published
05 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 5.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55278 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Hcl Software (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain…

more

unauthorized access to sensitive resources and perform actions with elevated privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Hcl Software
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-613

Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.

addresses: CWE-613

Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-613

Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.

addresses: CWE-613

Terminating sessions and network connections upon completion prevents insufficient session expiration.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-613

Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

References