CVE-2025-55252
Published: 19 January 2026
Summary
CVE-2025-55252 is a low-severity Weak Password Requirements (CWE-521) vulnerability in Hcltech Aion. Its CVSS base score is 3.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-7 (Unsuccessful Logon Attempts).
Deeper analysis
CVE-2025-55252 is a Weak Password Policy vulnerability (CWE-521) affecting HCL AION version 2. The issue enables the use of easily guessable passwords, which can lead to unauthorized access. It received a CVSS v3.1 base score of 3.1 (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N) and was published on 2026-01-19.
Exploitation requires high privileges (PR:H), user interaction (UI:R), and high attack complexity (AC:H) over the network (AV:N). A successful attack could result in low-impact unauthorized access, with limited effects on confidentiality and integrity but no availability disruption.
HCL Software has published a knowledge base article detailing the vulnerability at https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#, which security practitioners should consult for mitigation guidance and patches.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3199
Vulnerability details
HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak password policy (CWE-521) directly enables password guessing attacks against accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires organizations to enforce password complexity, length, and composition rules that prevent use of easily guessable passwords.
Limits rapid guessing of weak passwords by locking accounts after repeated failed logons, reducing the practical impact of the policy weakness.
Mandates secure baseline configuration settings that would include strong password policy parameters for the affected AION system.