CVE-2025-52608
HCL iControl Missing Cookie Attributes Vulnerability
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcltech | icontrol | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing critical cookie attributes such as Secure and SameSite in HCL iControl, which can lead to security weaknesses in cookie handling.
While the CVE description does not explicitly mention compliance impacts, missing Secure and SameSite cookie attributes can increase the risk of session hijacking or cross-site request forgery attacks, potentially leading to unauthorized access or data exposure.
Such security weaknesses may affect compliance with standards like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data.
How can this vulnerability impact me? :
Because the Secure and SameSite attributes are missing from cookies, this can increase the risk of cookie theft or cross-site request forgery (CSRF) attacks. Attackers may exploit these missing attributes to hijack user sessions or perform unauthorized actions.
Can you explain this vulnerability to me?
The vulnerability in HCL iControl is due to missing critical cookie attributes. Specifically, the application does not set important cookie attributes such as Secure and SameSite, and the cookie path is set to root.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the cookies set by the HCL iControl application to verify if critical cookie attributes such as Secure and SameSite are missing and if the path attribute is set to root.
You can use network inspection tools or browser developer tools to check the cookie attributes.
For command line detection, you can use curl to inspect the Set-Cookie headers from the server responses. For example:
- curl -I https://your-icontrol-server | grep Set-Cookie
Then review the output to see if the Secure and SameSite attributes are missing and if the path is set to root.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include configuring the HCL iControl application to set the Secure and SameSite attributes on cookies properly.
Ensure that cookies are only sent over secure channels by enabling the Secure attribute and control cross-site request forgery by setting the SameSite attribute appropriately.
Additionally, review and adjust the cookie path attribute if necessary to limit the scope of the cookie.