CVE-2025-52636
Published: 16 March 2026
Summary
CVE-2025-52636 is a low-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Hcltech Aion. Its CVSS base score is 1.8 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-52636 affects HCL AION due to improper control or validation of upload size limits. This vulnerability, classified under CWE-400 (Uncontrolled Resource Consumption), enables excessive resource consumption, potentially leading to service degradation or denial-of-service conditions in certain scenarios. The issue was published on 2026-03-16 with a low CVSS v3.1 base score of 1.8 (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L), indicating limited impact primarily on availability.
Exploitation requires local access (AV:L), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with no change in scope (S:U). A successful attack achieves only low-impact disruption to availability (A:L), with no confidentiality or integrity effects (C:N/I:N). This makes it a low-risk issue suitable primarily for privileged local users who can trick an administrator into facilitating oversized uploads.
For mitigation details, refer to the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208731
Vulnerability details
HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper upload size validation enables application exhaustion via oversized file uploads leading to resource consumption and DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-9 directly enforces restrictions on the amounts and characteristics of information inputs like upload sizes to prevent uncontrolled resource consumption.
SI-10 requires validation of information inputs, including upload sizes, to ensure they meet defined limits and avoid excessive resource usage.
SC-5 provides denial-of-service protection by monitoring and limiting resource consumption from oversized uploads leading to service degradation.