Severity by source
AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure.
AnalysisAI
HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.
Technical ContextAI
The vulnerability involves information disclosure through filesystem path enumeration or similar disclosure mechanisms in HCL AION (an enterprise integration and optimization platform). The attack surface is limited to local filesystem access (AV:L), requires high privilege levels (PR:H) to trigger, and needs user interaction (UI:R), suggesting the exposure requires deliberate system manipulation rather than accidental mishandling. The low complexity threshold (AC:H) indicates the exploit method is not straightforward. CWE classification was not provided, but the core issue maps to improper access control or information exposure related to filesystem structures.
RemediationAI
Apply the security patch provided by HCL through the official vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007. The advisory should specify the patched version and update process; organizations should prioritize systems where high-privilege users have local access and interactive execution capabilities. Until patching is feasible, restrict local filesystem access and limit high-privilege account usage to authorized administrative personnel only, minimizing the user interaction trigger required for the vulnerability.
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing
HCL AION contains a container base image authentication vulnerability where container images are not properly verified b
Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).
HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-
HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe
HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209473
GHSA-p72j-qjhf-94m3