CVE-2025-52632 – A missing Secure attribute in SSL cookies in HC... (How to Fix)

Q: What is the severity of CVE-2025-52632?

CVE-2025-52632 has a CVSS score of 6.5 (MEDIUM). A missing Secure attribute in SSL cookies in HCL AION allows attackers to intercept session cookies over unencrypted HTTP connections. This affects HCL AION version 2.0 installations, potentially exposing authenticated user sessions to man-in-the-middle attacks.

📋 TL;DR

A missing Secure attribute in SSL cookies in HCL AION allows attackers to intercept session cookies over unencrypted HTTP connections. This affects HCL AION version 2.0 installations, potentially exposing authenticated user sessions to man-in-the-middle attacks.

💻 Affected Systems

Products:

HCL AION

Versions: 2.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All AION 2.0 installations are affected regardless of configuration.

📦 What is this software?

Aion by Hcltech

View all CVEs affecting Aion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal authenticated session cookies and impersonate legitimate users, gaining unauthorized access to sensitive AION data and functionality.

🟠

Likely Case

Session hijacking in environments where attackers can intercept network traffic, leading to unauthorized access to AION applications.

🟢

If Mitigated

Limited impact if HTTPS is strictly enforced and network segmentation prevents traffic interception.

🌐 Internet-Facing: HIGH - Internet-facing AION instances are vulnerable to session hijacking if cookies can be intercepted.

🏢 Internal Only: MEDIUM - Internal networks still risk session hijacking from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to intercept network traffic between client and server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the fix from HCL support article KB0124444

Vendor Advisory: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124444

Restart Required: No

Instructions:

1. Access the HCL support portal. 2. Download the fix for KB0124444. 3. Apply the fix to your AION 2.0 installation following HCL's instructions. 4. Verify the Secure attribute is now set on SSL cookies.

🔧 Temporary Workarounds

Enforce HTTPS Strictly

all

Configure web server to redirect all HTTP traffic to HTTPS and set HSTS headers

# Apache: Redirect HTTP to HTTPS in .htaccess or vhost config
# Nginx: server { listen 80; return 301 https://$host$request_uri; }

🧯 If You Can't Patch

Implement strict network segmentation to prevent traffic interception
Deploy WAF with session protection rules to detect cookie theft attempts

🔍 How to Verify

Check if Vulnerable:

Inspect browser developer tools to check if AION session cookies lack the Secure attribute when accessed over HTTPS

Check Version:

Check AION administration console or consult HCL documentation for version information

Verify Fix Applied:

Verify session cookies now have Secure attribute set when accessed over HTTPS

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from different IP
Session cookies being sent over HTTP connections

Network Indicators:

Unencrypted HTTP traffic containing session cookies
Cookie headers without Secure flag in HTTPS responses

SIEM Query:

source="web_server" AND (cookie="session" AND NOT secure) OR (http_request AND cookie AND NOT ssl)

📊 Metadata

CVE ID: CVE-2025-52632

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-614

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: October 10, 2025

Last Updated: October 24, 2025

🔗 References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124444 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52632, you might also want to check these: