Description
HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
Published: 2026-06-04
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unhandled exception that exposes a full stack trace when JavaScript attempts to access an undefined dashboard key property. The stack trace includes file names, line numbers, and function names, which could reveal internal code structure and potential entry points. However, the disclosed information does not provide direct execution privileges or remote code execution. The weakness is classified as CWE‑209, an Information Disclosure vulnerability.

Affected Systems

HCL iControl version 4.0.0 is affected. The bug occurs inside the JavaScript runtime of the application, so the impact applies to any deployment of that release. No other versions are listed.

Risk and Exploitability

The CVSS score of 3.1 indicates low severity. The EPSS score is not available and the vulnerability is not in the CISA KEV list, which suggests limited widespread exploitation. The likely attack vector is remote via the web interface; by accessing a page that triggers the exception, an attacker could retrieve the stack trace. Because it only reveals information, the risk is low. Nevertheless, mitigating the exposure reduces the surface for reconnaissance.

Generated by OpenCVE AI on June 4, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the official HCL iControl patch available in KB0131041, which corrects the undefined property access.
  • Verify that the application is running the updated version (4.0.x or later) and that the error handling configuration suppresses stack trace output in production environments.
  • Configure the web server or application to use custom error pages that do not display stack traces, and disable verbose error logging.

Generated by OpenCVE AI on June 4, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech icontrol
CPEs cpe:2.3:a:hcltech:icontrol:4.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech icontrol

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
Title HCL iControl was affected by Unhandled Exception - Stack Trace Disclosure vulnerability
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hcltech Icontrol
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-04T13:18:58.258Z

Reserved: 2025-06-18T14:00:38.418Z

Link: CVE-2025-52611

cve-icon Vulnrichment

Updated: 2026-06-04T13:18:36.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T12:16:24.013

Modified: 2026-06-04T18:34:24.517

Link: CVE-2025-52611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:18Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information