Skip to main content

Aion CVE-2025-52641

| EUVDEUVD-2025-209473 LOW
Error Message Information Leak (CWE-209)
2026-04-15 HCL GHSA-p72j-qjhf-94m3
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 09:09 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 09:00 euvd
EUVD-2025-209473
Analysis Generated
Apr 15, 2026 - 09:00 vuln.today
CVE Published
Apr 15, 2026 - 08:47 nvd
LOW 2.9

DescriptionCVE.org

HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure.

AnalysisAI

HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability involves information disclosure through filesystem path enumeration or similar disclosure mechanisms in HCL AION (an enterprise integration and optimization platform). The attack surface is limited to local filesystem access (AV:L), requires high privilege levels (PR:H) to trigger, and needs user interaction (UI:R), suggesting the exposure requires deliberate system manipulation rather than accidental mishandling. The low complexity threshold (AC:H) indicates the exploit method is not straightforward. CWE classification was not provided, but the core issue maps to improper access control or information exposure related to filesystem structures.

RemediationAI

Apply the security patch provided by HCL through the official vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007. The advisory should specify the patched version and update process; organizations should prioritize systems where high-privilege users have local access and interactive execution capabilities. Until patching is feasible, restrict local filesystem access and limit high-privilege account usage to authorized administrative personnel only, minimizing the user interaction trigger required for the vulnerability.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

CVE-2025-52641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy