A Cross-Site Request Forgery (CSRF) vulnerability has been identified in HCL Glovius Cloud. This allows an attacker to potentially force an authenticated user's browser to perform unintended actions on the platform. The vulnerability impacts versions of Glovius Cloud up to and including S05.25, and a fix is available from HCL.
The CSRF vulnerability in Glovius Cloud allows an attacker to craft malicious requests that appear to originate from a legitimate, authenticated user. Successful exploitation could lead to unauthorized modifications of user settings, data manipulation, or other actions depending on the functionality exposed by the vulnerable endpoint. While the description specifies a single endpoint, the potential impact depends on the sensitivity of that endpoint's functionality. The attacker needs to trick the user into clicking a malicious link or visiting a crafted webpage.
This vulnerability was publicly disclosed on 2025-11-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on CISA KEV. The CVSS score of 6.8 (MEDIUM) suggests a moderate probability of exploitation if a PoC becomes available.
Organizations utilizing HCL Glovius Cloud, particularly those with users who frequently access the platform through web browsers, are at risk. Environments with shared user accounts or those lacking robust user awareness training are particularly vulnerable.
disclosure
漏洞利用状态
EPSS
0.01% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-62346 is to upgrade to a patched version of HCL Glovius Cloud. Refer to HCL's security advisory for the specific fixed version. As a temporary workaround, implement strict input validation and output encoding on the vulnerable endpoint to reduce the attack surface. Consider implementing CSRF tokens or other anti-CSRF mechanisms on the affected endpoint if upgrading immediately is not possible. Review user access controls to limit the potential impact of a successful attack.
将 HCL Glovius Cloud 更新到 S05.25 之后的版本,该版本已修复了 CSRF 漏洞。请参阅 HCL 知识库文章以获取有关更新的具体说明。作为临时措施,请避免从不可信链接访问 Glovius Cloud 或在站点上进行身份验证时访问。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-62346 describes a Cross-Site Request Forgery (CSRF) vulnerability in HCL Glovius Cloud, allowing attackers to trigger unauthorized actions through a user's browser.
Yes, if you are using HCL Glovius Cloud versions prior to the patched release, you are potentially affected by this CSRF vulnerability.
Upgrade to the latest patched version of HCL Glovius Cloud as recommended in HCL's security advisory. Implement CSRF mitigation techniques as a temporary workaround.
Currently, there are no confirmed reports of active exploitation of CVE-2025-62346, but the potential for exploitation exists.
Refer to the official HCL security advisory for detailed information and remediation steps regarding CVE-2025-62346.