What is the CVSS score of CVE-2025-62305?

CVE-2025-62305 has a CVSS 3.1 base score of 5.1 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

HCL AION CVE-2025-62305

EUVD-2025-209848 MEDIUM

Insertion of Sensitive Information Into Sent Data (CWE-201)

2026-05-14 HCL

GHSA-c489-5hxx-grxc

Information Disclosure

5.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:33 vuln.today

CVE Published

May 14, 2026 - 16:17 nvd

MEDIUM 5.1

DescriptionNVD

HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may allow exposure of data to external systems under specific conditions.

AnalysisAI

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affecting confidentiality and integrity under specific conditions. The vulnerability requires adjacent network access, low privilege authentication, and user interaction to exploit, making it suitable for targeted attacks within trusted environments rather than widespread remote exploitation.

Technical ContextAI

HCL AION is an integration and automation platform. The vulnerability involves unintended out-of-band interactions-unexpected network requests or data flows initiated by the application to external systems without explicit user authorization. CWE-201 (Information Exposure Through Sent Data) indicates the root cause is improper handling of sensitive data that gets transmitted outside intended boundaries. The adjacent network access vector (AV:A) suggests the attacker must be on the same local network segment or directly connected network, not Internet-accessible. The high attack complexity (AC:H) and required user interaction (UI:R) indicate exploitation is not trivial and depends on specific operational conditions or user actions within the application.

RemediationAI

Consult HCL's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 for vendor-released patches or fixes; specific patch versions are not confirmed in available data. As interim compensating controls, restrict network access to AION instances using firewalls and network segmentation to limit adjacent network connectivity, implement egress filtering to prevent unauthorized out-of-band communications to external systems, disable or restrict AION features that trigger external interactions if not operationally necessary, enforce strong access controls and authentication on AION administrative and operational accounts to reduce compromised account risk, and monitor network traffic from AION systems for unexpected external connections. Note that these controls mitigate attack surface but do not resolve the underlying vulnerability; vendor patch deployment is required for complete remediation.

CVE-2025-62305 vulnerability details – vuln.today

Back