Cyber Resilience

CVE-2025-62319

CriticalUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-62319 is a critical-severity SQL Injection (CWE-89) vulnerability in Hcltech Unica. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62319 is a Boolean-based SQL injection vulnerability, classified under CWE-89, published on 2026-03-16 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It manifests as a type of blind SQL injection in which attackers inject Boolean conditions (TRUE or FALSE) into application input fields, altering backend configuration queries executed within the application. The application responds differently based on the condition's evaluation without exposing database errors or data directly.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By systematically injecting Boolean conditions and observing behavioral differences in responses, attackers can exfiltrate data, modify database contents, or disrupt services, achieving high impacts on confidentiality, integrity, and availability through arbitrary SQL execution.

The HCL Software support advisory provides details on mitigation at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending…

more

on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Boolean-based blind SQL injection in a remotely accessible application directly enables exploitation of public-facing apps for data exfil/modification/disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-42210Same product: Hcltech Unica
CVE-2025-55262Same vendor: Hcltech
CVE-2025-52628Same vendor: Hcltech
CVE-2025-55271Same vendor: Hcltech
CVE-2024-42172Same vendor: Hcltech
CVE-2024-42168Same vendor: Hcltech
CVE-2024-42175Same vendor: Hcltech
CVE-2025-31958Same vendor: Hcltech
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89

Affected Assets

hcltech
unica
≤ 25.1.1.0.1
hcltech
unica audience central
≤ 25.1.1.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents Boolean-based SQL injection by validating and sanitizing application input fields to block malicious Boolean conditions in backend configuration queries.

prevent

Mitigates blind SQL injection exploitation by ensuring consistent error handling that conceals behavioral differences revealing true/false condition evaluations.

preventrecover

Remediates the specific SQL injection flaw through timely identification, reporting, testing, and correction to prevent arbitrary SQL execution.

References