Skip to main content

Aion EUVDEUVD-2025-208721

| CVE-2025-52638 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-16 HCL
5.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.6 MEDIUM
AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 14:00 euvd
EUVD-2025-208721
Analysis Generated
Mar 16, 2026 - 14:00 vuln.today
CVE Published
Mar 16, 2026 - 12:35 nvd
MEDIUM 5.6

DescriptionCVE.org

HCL AION is affected by a vulnerability where container base images are not properly authenticated. This may expose the system to potential security risks such as usage of untrusted container images, which could lead to unintended behaviour or security impact.

AnalysisAI

HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.

Technical ContextAI

The vulnerability (CWE unspecified but related to authentication/verification mechanisms) exists in HCL AION's container orchestration layer where base container images lack proper cryptographic verification or signature validation before execution. Container platforms typically rely on image digests, digital signatures, or registry authentication to ensure image integrity and source authenticity. AION's implementation appears to bypass or improperly implement these controls, as identified via CPE cpe:2.3:a:hcl:aion:*:*:*:*:*:*:*:*, allowing deployment of unsigned, tampered, or malicious base images. This is fundamentally an authentication and integrity control failure in the container image supply chain within the AION platform.

RemediationAI

Obtain and apply the security patch from HCL AION as documented in the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410. Until patches are deployed, implement compensating controls by enforcing container image signature verification at the registry level, restricting container image pulls to approved and internally scanned registries only, implementing strict role-based access controls to limit container deployment to authorized personnel, and conducting security scanning of all base images before deployment. Enable audit logging for all container image operations to detect unauthorized image usage attempts.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

CVE-2025-52626 MEDIUM
4.5 Feb 03

A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially le

Share

EUVD-2025-208721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy