CVE-2025-52661 identifies a security vulnerability in HCL Software's AION product, version 2, related to insufficient session expiration controls. Specifically, the product uses JSON Web Tokens (JWTs) for session management, but the tokens have an excessively long expiry period. This design flaw falls under CWE-613, which concerns insufficient session expiration, potentially allowing attackers to reuse valid tokens beyond a reasonable timeframe. If an attacker obtains a valid JWT, they could misuse it to gain unauthorized access to the system until the token expires. The CVSS 3.1 score of 2.4 indicates a low severity, primarily because exploitation requires network access, low attack complexity, but high privileges and user interaction, and the impact is limited to integrity with no confidentiality or availability loss. No public exploits are known, and no patches have been linked yet. The vulnerability highlights the importance of proper session lifecycle management, including setting appropriate token expiration times and revocation capabilities to minimize the window of opportunity for token misuse.

For European organizations, this vulnerability poses a moderate risk mainly in environments where HCL AION version 2 is deployed for critical business processes. The prolonged JWT token validity increases the attack surface for session hijacking or replay attacks, potentially leading to unauthorized actions within the application. While the confidentiality impact is rated as none, integrity could be compromised if an attacker uses a stolen token to perform unauthorized operations. Availability is unaffected. Organizations in sectors such as finance, healthcare, and government, which rely on strict access controls and session management, may face compliance challenges if session expiration policies are inadequate. The low CVSS score suggests limited immediate risk, but the vulnerability could be exploited in targeted attacks, especially if combined with other weaknesses or social engineering to obtain tokens.

To mitigate this vulnerability, organizations should: 1) Configure HCL AION to enforce shorter JWT token lifetimes aligned with the principle of least privilege and session duration needs. 2) Implement token revocation mechanisms to invalidate tokens upon logout or suspicious activity. 3) Employ multi-factor authentication to reduce risks from token compromise. 4) Monitor and audit token usage patterns to detect anomalies indicative of misuse. 5) Apply strict access controls and network segmentation to limit exposure of tokens. 6) Stay updated with HCL Software advisories for patches or configuration recommendations addressing this issue. 7) Educate users on secure handling of authentication tokens and the risks of token sharing or phishing. These steps go beyond generic advice by focusing on session lifecycle management and proactive detection tailored to JWT-based authentication.