CVE-2025-52608
Analyzed Analyzed - Analysis Complete
HCL iControl Missing Cookie Attributes Vulnerability

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: HCL Software

Description
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2025-52608
EUVD
EUVD-2025-210061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hcltech icontrol 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves missing critical cookie attributes such as Secure and SameSite in HCL iControl, which can lead to security weaknesses in cookie handling.

While the CVE description does not explicitly mention compliance impacts, missing Secure and SameSite cookie attributes can increase the risk of session hijacking or cross-site request forgery attacks, potentially leading to unauthorized access or data exposure.

Such security weaknesses may affect compliance with standards like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data.

Detection Guidance

This vulnerability can be detected by inspecting the cookies set by the HCL iControl application to verify if critical cookie attributes such as Secure and SameSite are missing and if the path attribute is set to root.

You can use network inspection tools or browser developer tools to check the cookie attributes.

For command line detection, you can use curl to inspect the Set-Cookie headers from the server responses. For example:

  • curl -I https://your-icontrol-server | grep Set-Cookie

Then review the output to see if the Secure and SameSite attributes are missing and if the path is set to root.

Mitigation Strategies

Immediate mitigation steps include configuring the HCL iControl application to set the Secure and SameSite attributes on cookies properly.

Ensure that cookies are only sent over secure channels by enabling the Secure attribute and control cross-site request forgery by setting the SameSite attribute appropriately.

Additionally, review and adjust the cookie path attribute if necessary to limit the scope of the cookie.

Impact Analysis

Because the Secure and SameSite attributes are missing from cookies, this can increase the risk of cookie theft or cross-site request forgery (CSRF) attacks. Attackers may exploit these missing attributes to hijack user sessions or perform unauthorized actions.

Executive Summary

The vulnerability in HCL iControl is due to missing critical cookie attributes. Specifically, the application does not set important cookie attributes such as Secure and SameSite, and the cookie path is set to root.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart