CVE-2025-52612
Analyzed Analyzed - Analysis Complete
CSV Injection in HCL iControl

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: HCL Software

Description
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2025-52612
EUVD
EUVD-2025-210058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hcltech icontrol 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in HCL iControl involves CSV Injection and reflected cross-site scripting due to insufficient input sanitation, which can lead to unauthorized data manipulation or disclosure.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA by potentially exposing sensitive personal or health information, violating requirements for data protection and integrity.

Organizations using affected versions of HCL iControl should assess the risk of data breaches or unauthorized access resulting from this vulnerability to ensure continued compliance.

Executive Summary

The vulnerability in HCL iControl involves an Export CSV - CSV Injection issue and a reflected cross-site scripting (XSS) vulnerability. It occurs due to insufficient sanitation of input parameters, allowing malicious input to be executed.

Impact Analysis

This vulnerability can lead to high impact on confidentiality, integrity, and availability, as indicated by the CVSS score. An attacker could exploit the reflected XSS to execute malicious scripts in the context of a user's browser, potentially stealing sensitive information or performing unauthorized actions. The CSV Injection could allow malicious code execution when exported CSV files are opened.

Mitigation Strategies

The vulnerability in HCL iControl is caused by insufficient sanitation of input parameters leading to CSV Injection and reflected cross-site scripting issues.

To mitigate this vulnerability, it is recommended to follow the guidance and apply any patches or updates provided by HCL as detailed in their security bulletin.

Review and restrict user input handling to ensure proper sanitization and validation to prevent injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52612. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart