Description
HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity
Published: 2026-06-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in HCL iControl arises because the web application does not automatically terminate user sessions after inactivity, leaving idle sessions open for indefinite periods. This session‑management flaw (CWE‑613) permits an attacker to reuse an existing session token or capture traffic to hijack a session, potentially gaining unauthorized access or performing privileged actions that threaten the confidentiality and integrity of the application's data.

Affected Systems

The affected product is HCL Software’s iControl. No specific version information is provided, so the vulnerability may impact all releases of iControl until a patch removes the inadequate timeout behavior.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The likely attack vector is a remote web attacker exploiting the web application session timeout flaw without requiring credentials. While the risk is considered low, an attacker who obtains a session token—potentially through social engineering, phishing, or traffic interception—could hijack an idle session. Organizations should treat this as a moderate exposure for sensitive environments.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HCL iControl patch or update when a fix is released.
  • Configure a stricter session timeout (e.g., 15 minutes) and enable automatic logout for idle sessions.
  • Enable session monitoring and alerting for unusually long idle sessions.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech icontrol
Vendors & Products Hcltech
Hcltech icontrol

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity
Title HCL iControl was affected by Inadequate Session Timeout vulnerability
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Hcltech Icontrol
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-17T15:03:57.230Z

Reserved: 2025-10-10T09:04:27.771Z

Link: CVE-2025-62340

cve-icon Vulnrichment

Updated: 2026-06-17T15:03:53.375Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:23Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration