CVE-2025-52648
Published: 16 March 2026
Summary
CVE-2025-52648 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Hcl Aion. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2025-52648 is a vulnerability in HCL AION where offering images are not digitally signed, potentially allowing the use of unverified or tampered images. This lack of image signing can lead to security risks such as integrity compromise or unintended system behavior. The issue is classified under CWE-347 (Improper Verification of Cryptographic Signature) with a CVSS v3.1 base score of 4.8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L), indicating medium severity.
Exploitation requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R), with no scope change (S:U). A local attacker with low privileges could trick a user into deploying or using tampered offering images, potentially resulting in low-impact unauthorized disclosure of information (C:L), modification (I:L), or denial of service (A:L), such as system integrity issues or unexpected behavior.
HCL has published a knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410 detailing mitigation steps for this vulnerability. The CVE was published on 2026-03-16T14:17:59.743.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208723
Vulnerability details
HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended behavior in…
more
the system
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of digital signature verification on offering images directly enables adversaries to subvert code signing controls (T1553.002) and facilitates supply chain compromise via tampered images (T1195.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic signing of software/images to enforce verification before use, eliminating the exact weakness described in CWE-347 for offering images.
Mandates integrity verification (including digital signatures) of software and information to detect and block tampered offering images before deployment.
Requires verification of component authenticity, which would compel the use of signed images and reduce the risk of tampered artifacts entering the system.