Skip to main content

HCL iControl CVE-2025-52606

| EUVDEUVD-2025-210062 MEDIUM
Error Message Information Leak (CWE-209)
2026-06-04 psirt@hcl.com GHSA-pjv4-rfhc-cr73
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:37 vuln.today

DescriptionCVE.org

HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

AnalysisAI

Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.

Technical ContextAI

HCL iControl is an enterprise software product from HCL Software. The root cause is classified under CWE-209 (Generation of Error Message Containing Sensitive Information), although the description characterizes the flaw as a type-validation weakness - this discrepancy warrants attention. CWE-209 typically manifests when an application generates verbose error messages in response to unexpected or malformed input, potentially exposing internal state, stack traces, or system configuration details. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates the flaw is reachable over the network with low-complexity exploitation requiring only low-privilege authentication and no user interaction. The scope is unchanged (S:U), limiting the vulnerability's blast radius to the vulnerable component itself. Specific CPE strings identifying affected versions were not included in the provided data.

RemediationAI

Consult HCL Software's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131178 (KB0131178) for patching guidance. An exact fixed version was not provided in the available data, so the patch status is confirmed as 'Patch available per vendor advisory' without an independently verified fix version. As a compensating control, restrict access to the HCL iControl application to trusted, least-privilege authenticated accounts only, minimizing the pool of users who could exploit the input validation flaw. Ensure verbose error messages and stack traces are disabled or suppressed at the application and web server layers to limit information exposure consistent with CWE-209. Review application logs for anomalous inputs or unexpected type errors that may indicate attempted exploitation.

Share

CVE-2025-52606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy