CVE-2025-52623 – HCL AION 2.0 has a vulnerability where password... (How to Fix)

Q: What is the severity of CVE-2025-52623?

CVE-2025-52623 has a CVSS score of 3.7 (LOW). HCL AION 2.0 has a vulnerability where password fields don't disable autocomplete, potentially allowing browsers to store or autofill credentials. This could lead to unintended credential exposure if someone accesses the browser's stored passwords. Only HCL AION version 2.0 is affected.

📋 TL;DR

HCL AION 2.0 has a vulnerability where password fields don't disable autocomplete, potentially allowing browsers to store or autofill credentials. This could lead to unintended credential exposure if someone accesses the browser's stored passwords. Only HCL AION version 2.0 is affected.

💻 Affected Systems

Products:

HCL AION

Versions: 2.0

Operating Systems: All platforms running HCL AION

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface of HCL AION where password fields are present.

📦 What is this software?

Aion by Hcltech

View all CVEs affecting Aion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive credentials stored in browser autocomplete could be extracted by malware or accessed by unauthorized users on shared systems, leading to account compromise.

🟠

Likely Case

Credentials may be unintentionally stored in browser autocomplete, increasing risk if the browser is compromised or accessed by unauthorized users.

🟢

If Mitigated

With proper browser security controls and user awareness, the risk is minimal as it requires local access to the browser's stored data.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the user's browser or system where credentials are stored.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972

Restart Required: Yes

Instructions:

1. Review vendor advisory KB0127972. 2. Apply the recommended patch from HCL. 3. Restart AION services. 4. Verify the fix by checking password fields no longer have autocomplete enabled.

🔧 Temporary Workarounds

Browser-level autocomplete disable

all

Configure browsers to disable password autocomplete globally or for the AION site.

Browser-specific: Use settings to disable password saving for the AION URL

Manual HTML modification

all

Temporarily add autocomplete='off' to password field HTML if you have access to modify the interface.

Edit HTML: <input type='password' autocomplete='off'>

🧯 If You Can't Patch

Educate users to never save AION passwords in browser autocomplete and clear any existing stored passwords.
Implement additional authentication controls like MFA to reduce impact if credentials are compromised.

🔍 How to Verify

Check if Vulnerable:

Inspect the HTML of AION login/password fields for missing autocomplete='off' attribute.

Check Version:

Check AION administration interface or documentation for version information.

Verify Fix Applied:

Verify password fields now include autocomplete='off' attribute after patch.

📡 Detection & Monitoring

Log Indicators:

No specific log indicators for this vulnerability

Network Indicators:

No network-based detection for this client-side issue

SIEM Query:

Not applicable for this client-side vulnerability

📊 Metadata

CVE ID: CVE-2025-52623

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

CWE: CWE-522

EPSS Score: 0.04% exploit probability (12.3th percentile)

Published: February 3, 2026

Last Updated: February 11, 2026

🔗 References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52623, you might also want to check these: