CVE-2025-52632 identifies a vulnerability classified under CWE-614 (Missing Secure Attribute) in HCL AION version 2.0. The issue arises because the application sets session cookies used for encrypted SSL sessions without the Secure attribute. The Secure attribute instructs browsers to only send cookies over secure HTTPS connections, preventing exposure over unencrypted HTTP. Without this attribute, cookies may be transmitted over insecure channels if an attacker can induce or intercept HTTP requests, leading to potential session hijacking or credential theft. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. It is remotely exploitable (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). The impact is primarily on confidentiality (C:H) with limited impact on integrity (I:L) and no impact on availability (A:N). No patches or exploits are currently reported, but the risk remains due to the sensitive nature of session cookies in maintaining authenticated sessions. This vulnerability highlights a common security misconfiguration that can be mitigated by proper cookie attribute management and secure transport enforcement.

For European organizations, the missing Secure attribute in session cookies can lead to interception of session tokens if users access services over unsecured networks or if attackers perform man-in-the-middle attacks on HTTP traffic. This compromises confidentiality by allowing attackers to hijack user sessions, potentially gaining unauthorized access to sensitive data or systems. The integrity and availability of systems are less affected. Organizations in sectors such as finance, healthcare, and government, which often use HCL AION for business process automation, could face data breaches or unauthorized access incidents. The medium severity rating suggests a moderate risk, but the impact could be significant if exploited in targeted attacks against critical infrastructure or sensitive applications. The lack of known exploits provides some time for mitigation, but proactive measures are essential to prevent exploitation.

European organizations should immediately review their HCL AION 2.0 deployments to verify cookie configurations. Specifically, ensure that all session cookies have the Secure attribute set to enforce transmission only over HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) headers to force browsers to use HTTPS connections exclusively. Network monitoring should be enhanced to detect unusual session activity or repeated failed authentication attempts indicative of session hijacking attempts. Where possible, upgrade to a patched version of HCL AION once available. In the interim, consider deploying web application firewalls (WAFs) with rules to block non-HTTPS cookie transmissions and conduct security awareness training to reduce risks from insecure network usage. Regular security audits and penetration testing should include checks for cookie attribute misconfigurations.