Skip to main content

HCL iControl EUVDEUVD-2025-210239

| CVE-2025-62340 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-17 HCL
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (HCL) PRIMARY
LOW
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Session token reuse requires prior low-privilege authenticated access (PR:L) and non-trivial token acquisition steps (AC:H), with impact limited to partial confidentiality disclosure only.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Severity Changed
Jun 26, 2026 - 15:07 NVD
LOW MEDIUM
CVSS changed
Jun 26, 2026 - 15:07 NVD
3.1 (LOW) 5.3 (MEDIUM)
Analysis Generated
Jun 17, 2026 - 13:19 vuln.today

DescriptionNVD

HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity

AnalysisAI

HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session tokens valid indefinitely until explicit logout. An attacker who obtains a valid session token - through interception or unattended browser access - can reuse it to access the application and read data. CVSS rates this Low (3.1) reflecting high attack complexity and limited confidentiality impact; no public exploit exists and the vulnerability is not listed in CISA KEV.

Technical ContextAI

CWE-613 (Insufficient Session Expiration) describes a class of web application flaws where the server-side session store does not enforce a maximum idle timeout, keeping session tokens valid well beyond the user's active period. HCL iControl (CPE: cpe:2.3:a:hcl_software:icontrol:*:*:*:*:*:*:*:*) is a web-based IT management platform by HCL Software; its session lifecycle management does not invalidate tokens after inactivity, violating OWASP session management best practices. The vulnerability is network-reachable (AV:N) because the iControl interface is web-based, but exploiting it requires the attacker to first acquire a live, authenticated session credential (PR:L, AC:H), limiting the practical attack surface.

RemediationAI

Consult the HCL advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131511 for vendor-recommended remediation; no exact patched version number is confirmed from available input data. As interim compensating controls, administrators should configure the shortest operationally acceptable server-side session idle timeout (commonly 15-30 minutes), enforce explicit logout requirements through user policy and training, and ensure session tokens are invalidated server-side on logout rather than only client-side. Restricting access to the iControl web interface through network-layer controls such as VPN requirements or IP allowlisting reduces the pool of potential token-interception attackers. Note that aggressive session timeouts will increase re-authentication frequency, potentially impacting user workflows in long-running administrative sessions.

Share

EUVD-2025-210239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy