Skip to main content

HCL AION CVE-2025-62308

| EUVDEUVD-2025-209849 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-14 HCL GHSA-28wj-h87j-w86h
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:12 nvd
MEDIUM 5.1

DescriptionCVE.org

HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under certain conditions

AnalysisAI

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting authenticated users with local network access and specific user interaction. The exposure reveals internal system architecture and configuration information that could enable reconnaissance for targeted attacks, with limited confidentiality, integrity, and availability impact (CVSS 5.1, CWE-201). No public exploit code or confirmed active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability is rooted in improper access control and information exposure (CWE-201), a classification for sensitive data disclosure that does not properly restrict access to system details. HCL AION, an enterprise integration and automation platform, exposes backend infrastructure specifics-potentially including system architecture, configuration parameters, internal hostnames, network topology, or service details-through an attack surface requiring adjacent network access (AV:A), high complexity (AC:H), low privilege level (PR:L), and user interaction (UI:R). The scope change (S:C) indicates the vulnerability impacts resources beyond the vulnerable component itself. The affected product spans all versions of HCL AION per the CPE cpe:2.3:a:hcl:aion:*:*:*:*:*:*:*:*, suggesting the issue is not version-specific but rather a design or default-configuration flaw.

RemediationAI

Consult HCL's official security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 for vendor-released patches, specific patched versions, and release dates, as this information is not currently visible in public databases. Pending availability of a patched version, implement the following compensating controls with documented trade-offs: (1) Restrict network access to HCL AION administration and backend infrastructure interfaces to trusted administrative subnets only using network segmentation or firewalls-this eliminates adjacent-network attack vector (AV:A) but may complicate remote administration workflows; (2) Disable or restrict user interaction features that trigger information disclosure, if such features are documented in HCL AION's security hardening guide-side effect is reduced feature availability; (3) Revoke low-privilege accounts that do not require backend access and enforce least-privilege role assignments to reduce PR:L attack surface; (4) Enable logging and alerting on any access to backend infrastructure details and review logs for anomalous information queries. Monitor HCL's support portal for patch availability and apply as soon as released.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

CVE-2025-52626 MEDIUM
4.5 Feb 03

A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially le

Share

CVE-2025-62308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy