CVE-2025-52641

| EUVD-2025-209473 LOW
2026-04-15 HCL GHSA-p72j-qjhf-94m3
Information Disclosure
2.9
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 09:09 vuln.today

DescriptionNVD

HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure.

AnalysisAI

HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability involves information disclosure through filesystem path enumeration or similar disclosure mechanisms in HCL AION (an enterprise integration and optimization platform). The attack surface is limited to local filesystem access (AV:L), requires high privilege levels (PR:H) to trigger, and needs user interaction (UI:R), suggesting the exposure requires deliberate system manipulation rather than accidental mishandling. The low complexity threshold (AC:H) indicates the exploit method is not straightforward. CWE classification was not provided, but the core issue maps to improper access control or information exposure related to filesystem structures.

RemediationAI

Apply the security patch provided by HCL through the official vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007. The advisory should specify the patched version and update process; organizations should prioritize systems where high-privilege users have local access and interactive execution capabilities. Until patching is feasible, restrict local filesystem access and limit high-privilege account usage to authorized administrative personnel only, minimizing the user interaction trigger required for the vulnerability.

Share

CVE-2025-52641 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy