Skip to main content

HCL iControl CVE-2025-52609

| EUVDEUVD-2025-210060 LOW
Protection Mechanism Failure (CWE-693)
2026-06-04 psirt@hcl.com GHSA-2v7w-jm74-g6m3
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:35 vuln.today

DescriptionCVE.org

HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.

AnalysisAI

Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.

Technical ContextAI

HCL iControl is a web-based IT operations and management platform. The root cause, CWE-693 (Protection Mechanism Failure), describes a class of flaws where an application fails to employ or correctly configure an existing security mechanism. In this case, the application does not emit HTTP response headers - such as X-XSS-Protection, Content-Security-Policy (CSP), or X-Content-Type-Options - that instruct browsers to activate built-in cross-site scripting defenses. Without a Content-Security-Policy restricting script sources, or the legacy X-XSS-Protection: 1; mode=block header for older browsers, injected payloads are not blocked at the client side. It is worth noting that X-XSS-Protection was deprecated and removed in Chrome 78+ and Edge 17+, meaning the actual protective value of that specific header is limited to legacy browsers; a robust CSP remains the industry-standard durable control. No CPE strings were provided in the available intelligence data.

RemediationAI

The primary remediation is to consult and apply guidance from HCL's vendor advisory KB0131041 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041; no exact patched version number was included in the available intelligence data, so the advisory must be reviewed for specific fix versions. As a compensating control applicable immediately, administrators should configure the web server or reverse proxy layer serving HCL iControl to emit appropriate security response headers: a Content-Security-Policy header with restrictive default-src and script-src directives is the most impactful control and is effective across all modern browsers; X-XSS-Protection: 1; mode=block can be added for legacy browser coverage but has no effect in Chrome 78+ or Edge 17+ and should not be relied upon as the primary defense; X-Content-Type-Options: nosniff reduces MIME-type confusion risks. These headers can be injected via nginx add_header directives or equivalent configuration in Apache or a WAF with low operational risk. The trade-off is that overly restrictive CSP policies may break legitimate application functionality - test in a staging environment before broad rollout.

Share

CVE-2025-52609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy