Skip to main content

HCL AION EUVDEUVD-2025-209855

| CVE-2025-62312 LOW
Insufficiently Protected Credentials (CWE-522)
2026-05-14 HCL GHSA-6326-6jqq-gxgp
3.0
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.0 LOW
AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:09 nvd
LOW 3.0

DescriptionCVE.org

HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices.

AnalysisAI

HCL AION uses basic authorization tokens for authentication, exposing credentials to interception or misuse if not transmitted over encrypted channels. The vulnerability affects authenticated local or adjacent network attackers with low privileges and user interaction, resulting in limited confidentiality impact. CVSS 3.0 reflects low severity, though the underlying authentication weakness may enable credential theft in environments with unencrypted internal traffic.

Technical ContextAI

HCL AION implements HTTP Basic Authentication (base64-encoded username:password in Authorization headers) as a primary or fallback authentication mechanism. Basic Auth credentials are trivially decoded if transmitted over unencrypted HTTP or intercepted on local/adjacent networks (AV:A per CVSS). CWE-522 (Insufficiently Protected Credentials) identifies the root cause: basic auth provides no built-in credential protection and relies entirely on TLS/HTTPS for secure transmission. If AION allows basic auth over non-encrypted channels or adjacent-network protocols, credentials become readable to passive network observers or active attackers performing ARP spoofing, MITM, or packet sniffing on LANs.

RemediationAI

HCL has published guidance at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 - verify this link for patch availability and version numbers. In the interim, enforce TLS 1.2+ for all AION authentication endpoints, disable HTTP basic auth if alternative authentication mechanisms (OAuth 2.0, SAML, certificate-based) are available, restrict AION network access to trusted internal subnets only via firewall rules, and disable credential caching in client applications connecting to AION. Monitor for suspicious basic auth patterns in AION logs (failed authentications, unusual source IPs). If AION exposes basic auth APIs to external callers, implement an API gateway with credential masking and rate limiting.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

EUVD-2025-209855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy