Cyber Resilience

CVE-2025-52659

Low

Published: 19 January 2026

Published
19 January 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score v3.1 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
EPSS Score 0.0006 17.9th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52659 is a low-severity Use of Web Browser Cache Containing Sensitive Information (CWE-525) vulnerability in Hcltech Aion. Its CVSS base score is 2.8 (Low).

Operationally, ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-52659 is a Cacheable HTTP Response vulnerability, classified under CWE-525, affecting HCL AION version 2. This flaw may result in the unintended storage of sensitive or dynamic content in caches, potentially enabling unauthorized access or information disclosure. The vulnerability received a CVSS v3.1 base score of 2.8 (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L) and was published on 2026-01-19.

Exploitation requires local access, low attack complexity, low privileges, and user interaction. A local attacker with low-level privileges could trick a user into performing an action that triggers a cacheable HTTP response containing sensitive or dynamic content. While the description notes potential for unauthorized access or disclosure, the CVSS metrics indicate no confidentiality or integrity impact, with effects limited to low availability disruption.

Mitigation guidance is available in the HCL Software support knowledge base article at https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#.

EU & UK References

Vulnerability details

HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-52626Same product: Hcltech Aion
CVE-2025-52631Same product: Hcltech Aion
CVE-2025-52636Same product: Hcltech Aion
CVE-2025-52660Same product: Hcltech Aion
CVE-2025-52627Same product: Hcltech Aion
CVE-2025-55251Same product: Hcltech Aion
CVE-2025-52643Same product: Hcltech Aion
CVE-2025-52628Same product: Hcltech Aion
CVE-2025-55252Same product: Hcltech Aion
CVE-2025-52644Same product: Hcltech Aion

Affected Assets

hcltech
aion
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires configuring HTTP response headers (Cache-Control, Expires) so that sensitive or dynamic content is never stored in caches.

prevent

Enforces information-flow rules that prohibit caching of responses containing sensitive data, blocking the unintended storage path described in the CVE.

prevent

Requires confidentiality and integrity protections for transmitted data, which includes ensuring responses are not inadvertently cached and later disclosed.

References