Cyber Resilience

CVE-2025-59872

MediumUpdated

Published: 17 June 2026

Published
17 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0045 36.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-59872 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Hcltech Zie For Web. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web…

more

shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hcltech
zie for web
16.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

References