Platform
other
Component
unica-centralized-offer-management
Fixed in
25.1.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in HCL Unica Centralized Offer Management versions up to and including 25.1. This flaw allows an attacker to potentially manipulate the application into making requests to unintended internal or external resources. The vulnerability stems from improper input validation, enabling malicious crafting of input to trigger the SSRF. A patch is available in version 25.1.1.
Successful exploitation of CVE-2025-31993 could allow an attacker to access internal resources that are not directly exposed to the internet. This could include sensitive data stored on internal servers, access to administrative interfaces, or even the ability to interact with other internal services. The attacker could potentially use the compromised application as a proxy to scan internal networks or launch further attacks. While the CVSS score is LOW, the potential for internal data exposure and lateral movement warrants prompt remediation.
CVE-2025-31993 was publicly disclosed on 2025-10-12. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the SSRF nature and relatively low CVSS score, the probability of active exploitation is considered low to medium.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-31993 is to upgrade to HCL Unica Centralized Offer Management version 25.1.1 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization measures to restrict the URLs that the application can access. Web Application Firewalls (WAFs) configured to block suspicious outbound requests can also provide a temporary layer of protection. Thoroughly review and restrict network access policies to limit the potential impact of a successful SSRF attack.
Update HCL Unica Centralized Offer Management to a patched version that addresses the SSRF vulnerability. Refer to the HCL knowledge base article for more details and specific upgrade instructions: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124422
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31993 is a Server-Side Request Forgery vulnerability affecting HCL Unica Centralized Offer Management versions up to 25.1, allowing attackers to potentially access internal resources.
You are affected if you are using HCL Unica Centralized Offer Management version 25.1 or earlier. Upgrade to 25.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to HCL Unica Centralized Offer Management version 25.1.1 or later. Consider input validation as a temporary workaround.
Currently, there are no confirmed reports of active exploitation, but the SSRF nature warrants vigilance.
Please refer to the official HCL security advisory for detailed information and updates regarding CVE-2025-31993.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.