CVE-2025-31954 identifies a vulnerability in HCL Software's iAutomate versions 6.5.1 and 6.5.2, where sensitive information is transmitted via HTTP GET requests in the query string. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-598, which refers to the use of GET request methods with sensitive query strings. This practice is insecure because URLs, including query strings, can be logged in browser history, server logs, proxy logs, and network monitoring tools, thereby exposing sensitive data to unauthorized parties. The vulnerability allows an attacker with limited privileges (PR:L) to access or intercept these GET requests and potentially retrieve sensitive information that should be protected. The CVSS v3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality and integrity to a limited extent (C:L/I:L) but does not affect availability (A:N). The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component. No known exploits have been reported in the wild, and no official patches have been published as of the date of analysis. The vulnerability primarily compromises confidentiality by exposing sensitive data in URLs and may also affect integrity if attackers manipulate query strings to alter data or behavior. This issue is particularly relevant for organizations that rely on iAutomate for automation workflows that handle sensitive or confidential information. Because HTTP GET requests are commonly logged and cached, sensitive data exposure risk is elevated, especially in environments with extensive logging or monitoring. The vulnerability underscores the importance of using HTTP POST or other secure methods to transmit sensitive data in request bodies rather than URLs.

For European organizations, this vulnerability poses a risk of sensitive information leakage, which could include credentials, tokens, or confidential parameters embedded in URLs. Such exposure could lead to unauthorized access to internal resources or data breaches, undermining data protection compliance such as GDPR. The integrity impact suggests potential manipulation of automation workflows, which could disrupt business processes or lead to incorrect operations. Organizations in sectors with strict data privacy requirements (e.g., finance, healthcare, government) are particularly at risk. The lack of availability impact reduces the risk of service disruption but does not diminish the confidentiality concerns. Since exploitation requires some privilege, insider threats or compromised accounts could leverage this vulnerability. The absence of known exploits provides a window for remediation before active attacks emerge. However, the widespread use of HCL iAutomate in European enterprises for automation tasks means that the vulnerability could have broad implications if not addressed promptly.

European organizations should immediately audit their use of HCL iAutomate versions 6.5.1 and 6.5.2 to identify any workflows or API calls that transmit sensitive information via HTTP GET requests. Where possible, modify these workflows to use HTTP POST or other methods that place sensitive data in the request body rather than the URL. Implement strict access controls and monitoring on logs and network traffic to detect unauthorized access to URLs containing sensitive data. Employ network segmentation and encryption (e.g., TLS) to protect data in transit. Review and minimize the privileges of users and service accounts interacting with iAutomate to reduce the risk of exploitation by insiders or compromised accounts. Since no patches are currently available, consider temporary compensating controls such as disabling vulnerable endpoints or restricting access to trusted networks. Educate developers and administrators on secure coding practices to avoid embedding sensitive data in URLs. Finally, maintain vigilance for any updates or patches from HCL and apply them promptly once released.