Skip to main content

HCL AION CVE-2025-62311

| EUVD-2025-209854 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-14 HCL GHSA-rm7f-v2gq-q2mw
Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:30 vuln.today
CVE Published
May 14, 2026 - 16:06 nvd
MEDIUM 4.3

DescriptionNVD

HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions

AnalysisAI

HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.

Technical ContextAI

This vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information), a class of weaknesses where sensitive data traverses the network without cryptographic protection. HCL AION, a data integration and orchestration platform, handles backend service configuration and connection details that must remain confidential. The vulnerability manifests when the application's backend service communication layer fails to enforce HTTPS/TLS encryption in specific operational contexts, leaving HTTP as an available-and potentially default or fallback-protocol option. The affected scope is limited by the CVSS vector requirement for adjacent network positioning (AV:A), indicating the threat model involves local network compromise or insider positioning rather than internet-facing exposure.

RemediationAI

Contact HCL support and apply the patch specified in KB0130636 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636) for your installed AION version, as specific patch versions are not confirmed in publicly available data. As interim compensating controls, enforce HTTPS/TLS for all AION backend service communication through network policies and firewall rules limiting HTTP traffic on AION service ports, implement mutual TLS (mTLS) authentication between frontend and backend components to add encryption even if HTTP is used (though not a substitute for HTTPS), restrict AION deployment to isolated network segments with access control lists limiting adjacency to trusted administrative staff, and disable any legacy HTTP-only service discovery or configuration endpoints if available in the administration interface. Network-level enforcement such as requiring VPN access for AION service management reduces the attack surface by preventing direct adjacent-network positioning.

Share

CVE-2025-62311 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy