Skip to main content

HCL ZIE CVE-2025-59872

| EUVDEUVD-2025-210240 CRITICAL
Error Message Information Leak (CWE-209)
2026-06-17 HCL
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (HCL) PRIMARY
MEDIUM
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable upload (AV:N, PR:N) but RCE depends on a non-default execute-in-Webroot configuration outside the attacker's control, so AC:H; full host compromise gives C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 26, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 15:22 NVD
MEDIUM CRITICAL
CVSS changed
Jun 26, 2026 - 15:22 NVD
4.3 (MEDIUM) 9.8 (CRITICAL)
Analysis Generated
Jun 17, 2026 - 13:20 vuln.today

DescriptionNVD

HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code

AnalysisAI

Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

HCL ZIE (Z and I Emulator) for Web is a browser-delivered 3270/5250 terminal emulator used to reach IBM mainframe and IBM i (AS/400) hosts; it descends from the former IBM Host On-Demand product line and typically runs on a Java application server. The affected component is the server-side file upload handler, identified by CPE cpe:2.3:a:hcl_software:zie. The vendor-assigned weakness is CWE-209 (Generation of Error Message Containing Sensitive Information), but this does not match the described behavior - an unrestricted upload of executable content maps far more naturally to CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is that the upload routine does not validate or constrain the type/location of uploaded files, so an attacker-controlled file (a web shell) placed in a directory the web/application server will interpret can be executed on request.

RemediationAI

Patch available per vendor advisory: consult HCL knowledge-base article KB0131549 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131549) for the fixed release and upgrade ZIE 16.0 accordingly - no exact fix version was provided in this data set, so confirm it directly with HCL before scheduling. Because exploitation requires the server to be configured to execute code in the Webroot, the strongest compensating control is to disable server-side execution of uploaded/script content in the web and application server (e.g., remove handler mappings or execute permissions for the upload directory), which neutralizes the web-shell path at the cost of breaking any legitimate dynamic content served from that location. Additionally, restrict or authenticate access to the file-upload endpoint, store uploads outside the Webroot, and enforce server-side allow-list validation of file types; monitor the upload directory for newly created executable/script files. These controls reduce exposure but are not a substitute for the vendor fix.

Share

CVE-2025-59872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy