CVE-2024-23564

HCL Software · Aftermarket EPC

HCL Aftermarket EPC contains a business logic flaw that allows unauthenticated users to retrieve passwords from the server and redirect them to attacker-controlled email addresses.

Executive summary

A critical business logic vulnerability in HCL Aftermarket EPC allows unauthenticated attackers to steal user credentials, posing a severe risk of account takeover.

Vulnerability

This is a business logic flaw where the application fails to perform necessary validation checks during email requests. The vulnerability allows an unauthenticated attacker to manipulate server responses to exfiltrate passwords.

Business impact

Successful exploitation leads to unauthorized access to user accounts, resulting in full credential compromise. Given the CVSS score of 9.1, this vulnerability presents a critical risk to data confidentiality and integrity, potentially leading to widespread unauthorized access to the affected environment.

Remediation

Immediate Action: Update HCL Software Aftermarket EPC to the latest available version provided by the vendor.

Proactive Monitoring: Review application access logs for suspicious password reset requests or unusual email traffic originating from the application server.

Compensating Controls: Implement strict network segmentation and WAF rules to monitor and block abnormal HTTP requests directed at the password recovery endpoints.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability is critical due to the ease of exploitation and the severity of the potential impact. Organizations should prioritize updating their HCL Aftermarket EPC instances immediately. If an update cannot be applied promptly, verify that the application is not exposed to the public internet to mitigate the risk of remote, unauthenticated exploitation.