CVE-2025-62319
Published: 16 March 2026
Summary
CVE-2025-62319 is a critical-severity SQL Injection (CWE-89) vulnerability in Hcltech Unica. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-62319 is a Boolean-based SQL injection vulnerability, classified under CWE-89, published on 2026-03-16 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It manifests as a type of blind SQL injection in which attackers inject Boolean conditions (TRUE or FALSE) into application input fields, altering backend configuration queries executed within the application. The application responds differently based on the condition's evaluation without exposing database errors or data directly.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By systematically injecting Boolean conditions and observing behavioral differences in responses, attackers can exfiltrate data, modify database contents, or disrupt services, achieving high impacts on confidentiality, integrity, and availability through arbitrary SQL execution.
The HCL Software support advisory provides details on mitigation at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208747
Vulnerability details
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending…
more
on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Boolean-based blind SQL injection in a remotely accessible application directly enables exploitation of public-facing apps for data exfil/modification/disruption.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents Boolean-based SQL injection by validating and sanitizing application input fields to block malicious Boolean conditions in backend configuration queries.
Mitigates blind SQL injection exploitation by ensuring consistent error handling that conceals behavioral differences revealing true/false condition evaluations.
Remediates the specific SQL injection flaw through timely identification, reporting, testing, and correction to prevent arbitrary SQL execution.