Cyber Posture

CVE-2025-52636

Low

Published: 16 March 2026

Published
16 March 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score 1.8 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
EPSS Score 0.0003 8.3th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52636 is a low-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Hcltech Aion. Its CVSS base score is 1.8 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-9 Information Input Restrictions good match
prevent

SI-9 directly enforces restrictions on the amounts and characteristics of information inputs like upload sizes to prevent uncontrolled resource consumption.

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs, including upload sizes, to ensure they meet defined limits and avoid excessive resource usage.

SC-5 Denial-of-service Protection good match
preventdetect

SC-5 provides denial-of-service protection by monitoring and limiting resource consumption from oversized uploads leading to service degradation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

Improper upload size validation enables application exhaustion via oversized file uploads leading to resource consumption and DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios.

Deeper analysisAI

CVE-2025-52636 affects HCL AION due to improper control or validation of upload size limits. This vulnerability, classified under CWE-400 (Uncontrolled Resource Consumption), enables excessive resource consumption, potentially leading to service degradation or denial-of-service conditions in certain scenarios. The issue was published on 2026-03-16 with a low CVSS v3.1 base score of 1.8 (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L), indicating limited impact primarily on availability.

Exploitation requires local access (AV:L), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with no change in scope (S:U). A successful attack achieves only low-impact disruption to availability (A:L), with no confidentiality or integrity effects (C:N/I:N). This makes it a low-risk issue suitable primarily for privileged local users who can trick an administrator into facilitating oversized uploads.

For mitigation details, refer to the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.

Details

CWE(s)
CWE-400

Affected Products

hcltech
aion
2.0.0 — 2.1.2

CVEs Like This One

CVE-2025-52631Same product: Hcltech Aion
CVE-2025-52659Same product: Hcltech Aion
CVE-2025-52628Same product: Hcltech Aion
CVE-2025-55251Same product: Hcltech Aion
CVE-2025-52626Same product: Hcltech Aion
CVE-2025-52643Same product: Hcltech Aion
CVE-2025-52644Same product: Hcltech Aion
CVE-2025-52660Same product: Hcltech Aion
CVE-2025-55252Same product: Hcltech Aion
CVE-2025-52627Same product: Hcltech Aion

References