What is the CVSS score of CVE-2025-62312?

CVE-2025-62312 has a CVSS 3.1 base score of 3.0 (Low). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

HCL AION CVE-2025-62312

EUVD-2025-209855 LOW

Insufficiently Protected Credentials (CWE-522)

2026-05-14 HCL

GHSA-6326-6jqq-gxgp

Information Disclosure

3.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:32 vuln.today

CVE Published

May 14, 2026 - 16:09 nvd

LOW 3.0

DescriptionNVD

HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices.

AnalysisAI

HCL AION uses basic authorization tokens for authentication, exposing credentials to interception or misuse if not transmitted over encrypted channels. The vulnerability affects authenticated local or adjacent network attackers with low privileges and user interaction, resulting in limited confidentiality impact. CVSS 3.0 reflects low severity, though the underlying authentication weakness may enable credential theft in environments with unencrypted internal traffic.

Technical ContextAI

HCL AION implements HTTP Basic Authentication (base64-encoded username:password in Authorization headers) as a primary or fallback authentication mechanism. Basic Auth credentials are trivially decoded if transmitted over unencrypted HTTP or intercepted on local/adjacent networks (AV:A per CVSS). CWE-522 (Insufficiently Protected Credentials) identifies the root cause: basic auth provides no built-in credential protection and relies entirely on TLS/HTTPS for secure transmission. If AION allows basic auth over non-encrypted channels or adjacent-network protocols, credentials become readable to passive network observers or active attackers performing ARP spoofing, MITM, or packet sniffing on LANs.

RemediationAI

HCL has published guidance at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 - verify this link for patch availability and version numbers. In the interim, enforce TLS 1.2+ for all AION authentication endpoints, disable HTTP basic auth if alternative authentication mechanisms (OAuth 2.0, SAML, certificate-based) are available, restrict AION network access to trusted internal subnets only via firewall rules, and disable credential caching in client applications connecting to AION. Monitor for suspicious basic auth patterns in AION logs (failed authentications, unusual source IPs). If AION exposes basic auth APIs to external callers, implement an API gateway with credential masking and rate limiting.

CVE-2025-62312 vulnerability details – vuln.today

Back