HCL Software: Eight Vulnerabilities Disclosed Across Multiple Products

Key findings

• Eight vulnerabilities disclosed by HCL Software between June 2-4, 2026.
• Affected products include BigFix, Hive Telco Observability, iControl, and iReflection.
• Vulnerabilities range in severity from Low (CVSS 3.1) to High (CVSS 8.1).
• Common themes include input validation flaws, missing security headers, and outdated components.
• CVE-2025-52612 (iControl) and CVE-2025-59874 (Hive Telco) are rated High severity.
• CVE-2024-42206 in iReflection points to outdated third-party components.

HCL Software has addressed a batch of eight vulnerabilities disclosed between June 2nd and June 4th, 2026, impacting several of its product lines. The disclosures, spanning two days, include a mix of severity levels, from low-impact information exposure to high-severity flaws that could lead to significant security breaches.

The vulnerabilities affect a range of HCL products, including HCL BigFix Cloud Lifecycle Management, HCL Hive Telco Observability, HCL iControl, and HCL iReflection. The disclosures highlight common web application security weaknesses, such as input validation issues, missing security headers, and outdated components.

Several vulnerabilities were identified within HCL iControl. CVE-2025-52612, a CSV Injection flaw, could lead to reflected cross-site scripting (XSS) due to insufficient sanitation of input parameters. CVE-2025-52609, a Missing Security Headers vulnerability, could enable XSS attacks by bypassing browser filtering mechanisms. Additionally, CVE-2025-52608 points to Missing Cookie Attributes, specifically the absence of 'Secure' and 'SameSite' attributes, along with an insecure 'path' setting. CVE-2025-52606 addresses a Weak Input Validation vulnerability where the application fails to correctly validate input types. CVE-2025-52611, an Unhandled Exception vulnerability, could lead to Stack Trace Disclosure due to an undefined property access in JavaScript.

Beyond iControl, HCL BigFix Cloud Lifecycle Management is affected by CVE-2025-62338, a Low severity Lack of Input Validation vulnerability that may lead to information exposure. HCL Hive Telco Observability has a High severity issue, CVE-2025-59874, stemming from missing directives in the Content Security Policy (CSP) within its Keycloak component, potentially leaving the site vulnerable. Lastly, CVE-2024-42206 in HCL iReflection highlights an issue with vulnerable and outdated third-party components within the web application.

The majority of these vulnerabilities were disclosed on June 4th, 2026, with CVE-2024-42206 appearing two days earlier on June 2nd. While specific patch details were not provided for all individual CVEs, the coordinated disclosure suggests that HCL Software is working to address these issues. Users are advised to consult HCL's official advisories for specific version information and remediation steps.

This cluster of disclosures underscores the importance of continuous security monitoring and timely patching for users of HCL's diverse product portfolio. The range of vulnerabilities, from input validation to component management, emphasizes the need for a comprehensive security approach across all deployed HCL solutions.