Severity by source
AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions.
AnalysisAI
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from insufficient cryptographic controls (CWE-319: Cleartext Transmission of Sensitive Information) in HCL AION's data transmission mechanisms. Certain operations or data flows lack enforced encryption, meaning information may traverse network or storage channels in plaintext or with weak protection. The attack vector (AV:A) indicates the threat actor must be on the same network segment as the target, suggesting this affects scenarios where an attacker has local network positioning (same LAN, WiFi, or adjacent network). The vulnerability affects all versions of HCL AION as indicated by the wildcard CPE, though specific affected version ranges have not been disclosed in available references.
RemediationAI
Consult HCL support advisory KB0130636 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 for vendor-supplied patch or update instructions. If a patched version is available, upgrade HCL AION to the minimum remediated release specified by HCL. Pending patch deployment, implement the following compensating controls: enforce network segmentation to restrict adjacent-network access to AION systems (use VLANs, firewall rules, or network access control lists to limit which systems can communicate with AION); disable or restrict any optional features that transmit sensitive data if such features are not critical to operations (consult HCL documentation for feature-specific encryption toggles); implement encrypted VPN or IPsec tunnels for all AION communications to ensure data in transit is protected even if AION's native encryption is not enforced; monitor network traffic for unencrypted sensitive data transmissions using network IDS/DLP tools and establish alerts. These controls introduce operational overhead and do not replace vendor patching; prioritize patch deployment based on HCL's timeline.
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing
HCL AION contains a container base image authentication vulnerability where container images are not properly verified b
Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).
HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-
HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe
HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot
A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially le
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209851
GHSA-87fr-h366-pw6q