What is the CVSS score of EUVD-2025-209849?

EUVD-2025-209849 has a CVSS 3.1 base score of 5.1 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

HCL AION EUVD-2025-209849

| CVE-2025-62308 MEDIUM

Insertion of Sensitive Information Into Sent Data (CWE-201)

2026-05-14 HCL

GHSA-28wj-h87j-w86h

Information Disclosure

5.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:32 vuln.today

CVE Published

May 14, 2026 - 16:12 nvd

MEDIUM 5.1

DescriptionNVD

HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under certain conditions

AnalysisAI

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting authenticated users with local network access and specific user interaction. The exposure reveals internal system architecture and configuration information that could enable reconnaissance for targeted attacks, with limited confidentiality, integrity, and availability impact (CVSS 5.1, CWE-201). No public exploit code or confirmed active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability is rooted in improper access control and information exposure (CWE-201), a classification for sensitive data disclosure that does not properly restrict access to system details. HCL AION, an enterprise integration and automation platform, exposes backend infrastructure specifics-potentially including system architecture, configuration parameters, internal hostnames, network topology, or service details-through an attack surface requiring adjacent network access (AV:A), high complexity (AC:H), low privilege level (PR:L), and user interaction (UI:R). The scope change (S:C) indicates the vulnerability impacts resources beyond the vulnerable component itself. The affected product spans all versions of HCL AION per the CPE cpe:2.3:a:hcl:aion:*:*:*:*:*:*:*:*, suggesting the issue is not version-specific but rather a design or default-configuration flaw.

RemediationAI

Consult HCL's official security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 for vendor-released patches, specific patched versions, and release dates, as this information is not currently visible in public databases. Pending availability of a patched version, implement the following compensating controls with documented trade-offs: (1) Restrict network access to HCL AION administration and backend infrastructure interfaces to trusted administrative subnets only using network segmentation or firewalls-this eliminates adjacent-network attack vector (AV:A) but may complicate remote administration workflows; (2) Disable or restrict user interaction features that trigger information disclosure, if such features are documented in HCL AION's security hardening guide-side effect is reduced feature availability; (3) Revoke low-privilege accounts that do not require backend access and enforce least-privilege role assignments to reduce PR:L attack surface; (4) Enable logging and alerting on any access to backend infrastructure details and review logs for anomalous information queries. Monitor HCL's support portal for patch availability and apply as soon as released.

EUVD-2025-209849 vulnerability details – vuln.today

Back