Skip to main content

HCL iControl CVE-2025-52608

| EUVDEUVD-2025-210061 LOW
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-06-04 psirt@hcl.com GHSA-vvc8-jfgx-2xm5
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:33 vuln.today

DescriptionCVE.org

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

AnalysisAI

HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.

Technical ContextAI

CWE-614 ('Sensitive Cookie in HTTPS Session Without Secure Attribute') describes the root cause class here. When the Secure flag is absent, browsers will transmit session cookies over both HTTPS and HTTP connections, making them interceptable via passive or active network-layer attacks. The missing SameSite attribute (defaulting to 'Lax' in modern browsers, but not explicitly enforced) may permit cross-origin requests to carry the cookie in certain navigation contexts, contributing to CSRF exposure. Setting the cookie path to root ('/') means the cookie is sent with every request to any path on the HCL iControl domain, unnecessarily broadening the attack surface. The affected product is HCL iControl; exact CPE strings and version ranges are not provided in the available intelligence.

RemediationAI

The primary remediation is to apply the vendor-released fix documented in HCL's KB article KB0131061 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131061. An exact patched version number is not independently confirmed from available data; organizations should consult the advisory directly for the target upgrade version. As compensating controls pending patching: enforce strict HTTPS-only access to the iControl application and configure HTTP Strict Transport Security (HSTS) headers to prevent cookie transmission over plaintext HTTP, which mitigates the missing Secure attribute risk. Web application firewall rules can block cross-origin POST requests to reduce CSRF exposure from the missing SameSite attribute. Restricting the cookie path to the narrowest necessary scope (rather than root '/') limits the cookie's exposure to unrelated application paths but requires application-level configuration changes. These controls reduce but do not eliminate risk - the definitive fix is the vendor patch.

Share

CVE-2025-52608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy