Skip to main content

HCL iControl EUVDEUVD-2025-210059

| CVE-2025-52611 LOW
Error Message Information Leak (CWE-209)
2026-06-04 psirt@hcl.com GHSA-v6rp-8fmq-j68m
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:34 vuln.today

DescriptionCVE.org

HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.

AnalysisAI

Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via unhandled JavaScript exceptions. The application fails to catch a runtime error when attempting to read the 'dashboard' key from an undefined object, returning a full stack trace to the requesting client. No public exploit exists and no active exploitation has been observed; CVSS scores this Low (3.1), reflecting strictly limited confidentiality impact with no integrity or availability consequences.

Technical ContextAI

HCL iControl is a web-based control application. The root cause maps to CWE-209 (Generation of Error Message Containing Sensitive Information): server-side or client-rendered JavaScript code accesses a property named 'dashboard' on an object that has not been initialized or is undefined, triggering an unhandled exception. Rather than failing gracefully with a generic error response, the application propagates the raw exception including a full stack trace back to the requester. Stack traces typically expose internal file system paths, framework/library names and versions, and application code structure - intelligence useful for planning follow-on attacks. No CPE strings were provided in source data; affected product is identified as HCL iControl v4.0.0 per vendor advisory KB0131041.

RemediationAI

Consult HCL's official knowledge base article KB0131041 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041 for the vendor-recommended fix. No exact patched version number is confirmed from available data - the precise fix version must be obtained directly from HCL support or the advisory. As a compensating control pending patching, configure the application's error handling middleware to suppress verbose exception output and return only generic error messages in production deployments; this directly addresses CWE-209 without modifying application logic, though it may complicate debugging. Additionally, restrict access to HCL iControl to the minimum required authenticated user base to reduce the pool of principals capable of triggering the flaw. Note that suppressing stack traces treats the symptom rather than the root cause (uninitialized object); the vendor patch is the authoritative fix.

Share

EUVD-2025-210059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy