CVE-2025-52637
Published: 16 March 2026
Summary
CVE-2025-52637 is a medium-severity SQL Injection (CWE-89) vulnerability in Hcl Aion. Its CVSS base score is 4.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-52637 is a vulnerability in HCL AION that allows execution of potentially harmful SQL queries in certain offering configurations due to improper validation or restrictions on query execution. This issue, classified under CWE-89 (SQL Injection), could lead to unintended database interactions or limited information exposure under specific conditions. The vulnerability has a CVSS v3.1 base score of 4.5 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-16.
The attack requires local access (AV:L), high attack complexity (AC:H), and low privileges (PR:L) with no user interaction needed (UI:N). An attacker could achieve low impacts across confidentiality (C:L), integrity (I:L), and availability (A:L), potentially exposing limited information, modifying data, or causing minor service disruptions within the unchanged scope (S:U).
Mitigation details are provided in the HCL Software support advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208720
Vulnerability details
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific…
more
conditions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection (CWE-89) directly enables exploitation of public-facing or local applications to perform unauthorized database queries.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including SQL queries) to reject malformed or dangerous content before execution, blocking the root cause of this CWE-89 flaw.
Enforces mediation of all access requests so that only explicitly permitted database operations are allowed, preventing unauthorized or harmful query execution in misconfigured offerings.
Restricts accounts and processes to the minimum privileges needed, limiting the impact of any successfully submitted malicious SQL to only the least-privileged data and functions.