Platform
other
Component
glovius-cloud
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in HCL Glovius Cloud. This allows an attacker to potentially force an authenticated user's browser to perform unintended actions on the platform. The vulnerability impacts versions of Glovius Cloud up to and including S05.25, and a fix is available from HCL.
The CSRF vulnerability in Glovius Cloud allows an attacker to craft malicious requests that appear to originate from a legitimate, authenticated user. Successful exploitation could lead to unauthorized modifications of user settings, data manipulation, or other actions depending on the functionality exposed by the vulnerable endpoint. While the description specifies a single endpoint, the potential impact depends on the sensitivity of that endpoint's functionality. The attacker needs to trick the user into clicking a malicious link or visiting a crafted webpage.
This vulnerability was publicly disclosed on 2025-11-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on CISA KEV. The CVSS score of 6.8 (MEDIUM) suggests a moderate probability of exploitation if a PoC becomes available.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62346 is to upgrade to a patched version of HCL Glovius Cloud. Refer to HCL's security advisory for the specific fixed version. As a temporary workaround, implement strict input validation and output encoding on the vulnerable endpoint to reduce the attack surface. Consider implementing CSRF tokens or other anti-CSRF mechanisms on the affected endpoint if upgrading immediately is not possible. Review user access controls to limit the potential impact of a successful attack.
Update HCL Glovius Cloud to a version later than S05.25 that has addressed the CSRF vulnerability. Refer to the HCL knowledge base article for specific upgrade instructions. As a temporary measure, avoid accessing Glovius Cloud from untrusted links or while authenticated on the site.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62346 describes a Cross-Site Request Forgery (CSRF) vulnerability in HCL Glovius Cloud, allowing attackers to trigger unauthorized actions through a user's browser.
Yes, if you are using HCL Glovius Cloud versions prior to the patched release, you are potentially affected by this CSRF vulnerability.
Upgrade to the latest patched version of HCL Glovius Cloud as recommended in HCL's security advisory. Implement CSRF mitigation techniques as a temporary workaround.
Currently, there are no confirmed reports of active exploitation of CVE-2025-62346, but the potential for exploitation exists.
Refer to the official HCL security advisory for detailed information and remediation steps regarding CVE-2025-62346.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.