Skip to main content

HCL AION CVE-2025-62305

| EUVDEUVD-2025-209848 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-14 HCL GHSA-c489-5hxx-grxc
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:33 vuln.today
CVE Published
May 14, 2026 - 16:17 nvd
MEDIUM 5.1

DescriptionCVE.org

HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may allow exposure of data to external systems under specific conditions.

AnalysisAI

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affecting confidentiality and integrity under specific conditions. The vulnerability requires adjacent network access, low privilege authentication, and user interaction to exploit, making it suitable for targeted attacks within trusted environments rather than widespread remote exploitation.

Technical ContextAI

HCL AION is an integration and automation platform. The vulnerability involves unintended out-of-band interactions-unexpected network requests or data flows initiated by the application to external systems without explicit user authorization. CWE-201 (Information Exposure Through Sent Data) indicates the root cause is improper handling of sensitive data that gets transmitted outside intended boundaries. The adjacent network access vector (AV:A) suggests the attacker must be on the same local network segment or directly connected network, not Internet-accessible. The high attack complexity (AC:H) and required user interaction (UI:R) indicate exploitation is not trivial and depends on specific operational conditions or user actions within the application.

RemediationAI

Consult HCL's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 for vendor-released patches or fixes; specific patch versions are not confirmed in available data. As interim compensating controls, restrict network access to AION instances using firewalls and network segmentation to limit adjacent network connectivity, implement egress filtering to prevent unauthorized out-of-band communications to external systems, disable or restrict AION features that trigger external interactions if not operationally necessary, enforce strong access controls and authentication on AION administrative and operational accounts to reduce compromised account risk, and monitor network traffic from AION systems for unexpected external connections. Note that these controls mitigate attack surface but do not resolve the underlying vulnerability; vendor patch deployment is required for complete remediation.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

CVE-2025-52626 MEDIUM
4.5 Feb 03

A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially le

Share

CVE-2025-62305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy