Skip to main content

Unica EUVDEUVD-2025-208747

| CVE-2025-62319 CRITICAL
SQL Injection (CWE-89)
2026-03-16 HCL
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 16:00 euvd
EUVD-2025-208747
Analysis Generated
Mar 16, 2026 - 16:00 vuln.today
CVE Published
Mar 16, 2026 - 15:30 nvd
CRITICAL 9.8

DescriptionCVE.org

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

AnalysisAI

A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.

Technical ContextAI

HCL Unica is an enterprise marketing automation platform identified by CPE cpe:2.3:a:hcl:unica:*:*:*:*:*:*:*:*. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically allowing Boolean-based blind SQL injection attacks. In this attack variant, malicious SQL conditions are injected that evaluate to TRUE or FALSE, causing the application to respond differently based on the result without directly revealing data or errors. This enables attackers to systematically extract information from the database one bit at a time by observing application behavior changes.

RemediationAI

Organizations must upgrade HCL Unica to a version newer than 25.1.1 as recommended in HCL's security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410. Until patching is possible, implement strict input validation and parameterized queries for all user inputs, deploy a web application firewall (WAF) with SQL injection detection rules, and restrict network access to the Unica application to trusted IP ranges only. Monitor database query logs for suspicious Boolean-based patterns and unusual query volumes that may indicate exploitation attempts.

Share

EUVD-2025-208747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy