Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-52627

Summary
Assigner-HCL
Assigner Org ID-1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At-03 Feb, 2026 | 17:44
Updated At-03 Feb, 2026 | 19:02
Rejected At-
Credits

HCL AION is susceptible to Incorrect Permission Assignment for Critical Resource

Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:HCL
Assigner Org ID:1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At:03 Feb, 2026 | 17:44
Updated At:03 Feb, 2026 | 19:02
Rejected At:
▼CVE Numbering Authority (CNA)
HCL AION is susceptible to Incorrect Permission Assignment for Critical Resource

Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.

Affected Products
Vendor
HCL Technologies Ltd.HCL
Product
AION
Default Status
unaffected
Versions
Affected
  • 2.0
Problem Types
TypeCWE IDDescription
CWECWE-732CWE-732
Type: CWE
CWE ID: CWE-732
Description: CWE-732
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
N/A
Hyperlink: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@hcl.com
Published At:03 Feb, 2026 | 18:16
Updated At:10 Feb, 2026 | 20:50

Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.5MEDIUM
CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
HCL Technologies Ltd.
hcltech
>>aion>>2.0
cpe:2.3:a:hcltech:aion:2.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-732Secondarypsirt@hcl.com
CWE ID: CWE-732
Type: Secondary
Source: psirt@hcl.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972psirt@hcl.com
Vendor Advisory
Hyperlink: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
Source: psirt@hcl.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

19Records found
CVE-2020-4099
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-5.9||MEDIUM
EPSS-0.18% / 39.32%
||
7 Day CHG~0.00%
Published-01 Nov, 2022 | 17:55
Updated-02 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Verse for Android is susceptible to an APK signing key check vulnerability

The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-verseHCL Verse for Android
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2025-52621
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 3.69%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 22:45
Updated-29 Oct, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning.  The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_saasBigFix SaaS Remediate
CWE ID-CWE-346
Origin Validation Error
CVE-2021-27777
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.94%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 21:25
Updated-16 Sep, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Unica Platform is vulnerable to XML External Entity (XXE) injection

XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-unicaHCL Unica
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-30134
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-6.7||MEDIUM
EPSS-0.16% / 36.90%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 14:50
Updated-30 Oct, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability

The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-traveler_for_microsoft_outlookHCL Traveler for Microsoft Outlooktraveler
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-27764
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-7.4||HIGH
EPSS-0.11% / 29.49%
||
7 Day CHG~0.00%
Published-06 May, 2022 | 18:10
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix WebUI Cookie missing attributes

Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_webuiHCL BigFix WebUI
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-14263
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.9||LOW
EPSS-0.06% / 17.42%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 16:34
Updated-04 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-traveler_companion"HCL Traveler Companion"
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-31902
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.00% / 0.05%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 11:38
Updated-03 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-27568
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.66%
||
7 Day CHG~0.00%
Published-21 Apr, 2021 | 21:16
Updated-04 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra layer of security.

Action-Not Available
Vendor-n/aAviatrix Systems, Inc.
Product-controllern/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-42949
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-20 Dec, 2022 | 00:00
Updated-17 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions.

Action-Not Available
Vendor-n/aSilverstripe
Product-subsitesn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-31453
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.00%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 13:25
Updated-11 Oct, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache InLong: IDOR make users can delete others' subscription

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949

Action-Not Available
Vendor-The Apache Software Foundation
Product-inlongApache InLonginlong
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-31454
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.00%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 13:23
Updated-09 Oct, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache InLong: IDOR make users can bind any cluster

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.  The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com/apache/inlong/pull/7947 https://github.com/apache/inlong/pull/7947

Action-Not Available
Vendor-The Apache Software Foundation
Product-inlongApache InLonginlong
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-12441
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.07% / 21.09%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 14:36
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. The protected branches feature contained a access control issue which resulted in a bypass of the protected branches restriction rules. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-8900
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 43.97%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 18:14
Updated-18 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-5077
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.6||HIGH
EPSS-0.21% / 43.41%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 23:24
Updated-26 Sep, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-vaultVault EnterpriseVaultvault
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-11270
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.3||HIGH
EPSS-0.23% / 45.43%
||
7 Day CHG~0.00%
Published-05 Aug, 2019 | 16:21
Updated-17 Sep, 2024 | 04:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UAA clients.write vulnerability

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Cloud Foundry
Product-cloud_foundry_uaaoperations_managerapplication_serviceUAA Release (OSS)
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-11528
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.21% / 42.73%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 19:30
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Softing uaGate SI 1.60.01. A system default path for executables is user writable.

Action-Not Available
Vendor-softingn/a
Product-uagate_si_firmwareuagate_sin/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-12922
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.66%
||
7 Day CHG~0.00%
Published-28 Jun, 2018 | 11:00
Updated-05 Aug, 2024 | 08:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Emerson Liebert IntelliSlot Web Card devices allow remote attackers to reconfigure access control via the config/configUser.htm or config/configTelnet.htm URI.

Action-Not Available
Vendor-vertivn/a
Product-liebert_intellislot_firmwareliebert_intellislotn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-29078
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-27 May, 2024 | 23:52
Updated-28 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect permission assignment for critical resource issue exists in MosP kintai kanri V4.6.6 and earlier, which may allow a remote unauthenticated attacker with access to the product to alter the product settings.

Action-Not Available
Vendor-esMind, LLC
Product-MosP kintai kanri
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-13915
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.61% / 69.41%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 14:46
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

Action-Not Available
Vendor-ruckuswirelessn/a
Product-h320r610t310cr720t301ne510r320t610t310dr310r500c110m510h510t301st710sr750r510r600t300t710t310nr710unleashed_firmwaret310sn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-522
Insufficiently Protected Credentials
Details not found