Skip to main content

Aion CVE-2025-52637

| EUVDEUVD-2025-208720 MEDIUM
SQL Injection (CWE-89)
2026-03-16 HCL
4.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 13:00 euvd
EUVD-2025-208720
Analysis Generated
Mar 16, 2026 - 13:00 vuln.today
CVE Published
Mar 16, 2026 - 12:27 nvd
MEDIUM 4.5

DescriptionCVE.org

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.

AnalysisAI

HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.

Technical ContextAI

The vulnerability stems from improper input validation or insufficient access control restrictions on SQL query execution within HCL AION's database interaction layer. This likely represents a CWE-89 (SQL Injection) or CWE-863 (Incorrect Authorization) class flaw where user-supplied input is insufficiently sanitized before being incorporated into SQL queries, or where authorization checks fail to prevent unprivileged users from executing queries beyond their intended scope. The issue is specific to HCL AION's offering configuration modules, suggesting the vulnerability may exist in configuration parsers or query builders that handle user-provided parameters without adequate parameterized query usage or stored procedure enforcement. The local attack vector (AV:L) indicates the attacker must have some form of system access, whether through a compromised account, shell access, or application-level authenticated session.

RemediationAI

Organizations using HCL AION should immediately check the HCL PSIRT advisories and security updates for patch availability targeting this vulnerability and apply updates to affected systems. Until patches are available, implement compensating controls including: enforcing least-privilege database account credentials for AION application processes (use read-only or restricted stored procedures), restricting access to AION offering configuration modules to only required administrative users, implementing database-level query logging and monitoring to detect anomalous SQL execution patterns, and disabling or restricting features that permit user-supplied query parameters if not essential to operations. Network segmentation to limit local system access and multi-factor authentication for administrative accounts can reduce the likelihood of credential compromise that would enable exploitation.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

CVE-2025-52637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy