EUVD-2025-208747

| CVE-2025-62319 CRITICAL
2026-03-16 HCL
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 16:00 euvd
EUVD-2025-208747
Analysis Generated
Mar 16, 2026 - 16:00 vuln.today
CVE Published
Mar 16, 2026 - 15:30 nvd
CRITICAL 9.8

Tags

SQLi Unica

Description

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

Analysis

A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.

Technical Context

HCL Unica is an enterprise marketing automation platform identified by CPE cpe:2.3:a:hcl:unica:*:*:*:*:*:*:*:*. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically allowing Boolean-based blind SQL injection attacks. In this attack variant, malicious SQL conditions are injected that evaluate to TRUE or FALSE, causing the application to respond differently based on the result without directly revealing data or errors. This enables attackers to systematically extract information from the database one bit at a time by observing application behavior changes.

Affected Products

HCL Unica version 25.1.1 and all prior versions are vulnerable to this Boolean-based SQL injection attack, as confirmed by ENISA EUVD-2025-208747. The affected product is identified through CPE cpe:2.3:a:hcl:unica:*:*:*:*:*:*:*:* and includes all deployment configurations of the Unica marketing platform. HCL has published security advisory KB0129410 detailing the vulnerability at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.

Remediation

Organizations must upgrade HCL Unica to a version newer than 25.1.1 as recommended in HCL's security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410. Until patching is possible, implement strict input validation and parameterized queries for all user inputs, deploy a web application firewall (WAF) with SQL injection detection rules, and restrict network access to the Unica application to trusted IP ranges only. Monitor database query logs for suspicious Boolean-based patterns and unusual query volumes that may indicate exploitation attempts.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

EUVD-2025-208747 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy