CVE-2025-62319: Critical SQL Injection in HCL Unica (CVSS 9.8)

CVE-2025-62319: Unauthenticated SQL Injection in HCL Unica Marketing Platform

A critical SQL injection vulnerability tracked as CVE-2025-62319 has been disclosed in HCL Unica, HCL Software's enterprise marketing automation platform. The flaw carries a CVSS v3.1 score of 9.8 (Critical) and allows a remote, unauthenticated attacker to fully compromise the backend database with no user interaction required.

The vulnerability was published to the NIST National Vulnerability Database (NVD) on March 16, 2026, and affects all HCL Unica versions 25.1.1 and below. No public patch is available at this time.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2025-62319
CVSS v3.1 Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
CWE Classification	CWE-89 — Improper Neutralization of Special Elements in SQL Commands
Vendor	HCL Software
Affected Product	HCL Unica
Affected Versions	25.1.1 and below
Attack Vector	Network (Remote)
Privileges Required	None
User Interaction	None
Patch Available	None confirmed
Public Exploit	None disclosed

Technical Details

CVE-2025-62319 is classified as a Boolean-based blind SQL injection — a variant where the attacker cannot see direct database error output or query results, but can infer information by observing how the application responds differently to true vs. false SQL conditions.

How Boolean-based blind SQLi works:

' AND 1=1--   →  TRUE condition  →  normal application response
' AND 1=2--   →  FALSE condition →  different/truncated response

By crafting a series of boolean queries, an attacker can systematically extract the entire database contents one bit at a time — including table names, column names, user records, and credentials. Automated tools such as sqlmap can fully automate this process.

Why CVSS 9.8 Is Warranted

The maximum possible CVSS score is 10.0. This vulnerability scores 9.8 because:

No authentication required — the injection point is reachable without any login or session
No user interaction — exploitation is fully automated
Low attack complexity — no race conditions, special configurations, or prerequisites
Full CIA triad impact — Confidentiality, Integrity, and Availability are all rated High

An attacker with network access to the HCL Unica instance can extract, modify, or destroy all data in the backend database without any credentials.

Affected Product: HCL Unica

HCL Unica is an enterprise-grade marketing automation and campaign management platform used by large organizations across retail, financial services, healthcare, and telecommunications. It manages customer data, campaign histories, audience segmentation, and marketing analytics — making its database a high-value target containing:

Customer personally identifiable information (PII)
Campaign targeting and behavioral data
Marketing credentials and API integrations
Internal organizational configuration

The HCL Software support bulletin KB0129410 references the vulnerability within the HCL Unica/AION product lines, though the full remediation details require authenticated portal access.

Attack Scenario

1. Attacker identifies an internet-accessible HCL Unica deployment

2. Attacker probes the application for SQL injection points
   without providing any credentials

3. Boolean-based injection payloads are submitted to vulnerable parameters

4. Application responses (HTTP status, page content, response timing) are
   compared for TRUE vs. FALSE conditions

5. Automated tooling (e.g., sqlmap) iterates through all database tables
   and extracts full contents

6. Attacker obtains customer PII, campaign data, internal credentials,
   and configuration secrets from the database

7. Exfiltrated data can be used for further attacks, sold, or ransomed

Impact Assessment

Impact Area	Description
Customer Data Exposure	Full database contents accessible — customer PII, behavioral profiles, contact data
Credential Compromise	Application credentials, API keys, and integration tokens stored in the database
Data Manipulation	Attacker can insert, modify, or delete records — corrupting campaign data and analytics
Compliance Risk	GDPR, CCPA, HIPAA violations likely if customer PII is exfiltrated
Business Impact	Marketing platform disruption; campaign data destruction; regulatory fines
Lateral Movement Risk	Database credentials may enable pivot to internal systems

Remediation

Immediate Mitigations (No Patch Available)

Since no official patch has been released, organizations running HCL Unica 25.1.1 or earlier should implement the following interim controls immediately:

Restrict network access — Place HCL Unica behind a VPN or network-level access control; block public internet exposure at the firewall
Deploy a Web Application Firewall (WAF) — Enable SQL injection detection rules in Cloudflare WAF, AWS WAF, ModSecurity, or equivalent
Enable database activity monitoring — Alert on unusual query volumes, enumeration patterns, or access from unexpected sources
Audit existing access — Review HCL Unica access logs for anomalous SQL-pattern traffic or unexpected data exports
Monitor HCL Support KB0129410 — Watch for patch availability through HCL's authenticated support portal
Limit database user privileges — Ensure the HCL Unica database user operates with least-privilege (no FILE, SUPER, or DROP permissions)
Enable audit logging — Activate database-level query logging to detect exploitation attempts

For HCL Unica Administrators

Contact HCL Software support to obtain patch availability details for your specific version
Review the HCL Support knowledge base article KB0129410 for official guidance
Subscribe to HCL security advisories for notification when a patch is released

Key Takeaways

CVE-2025-62319 carries a CVSS 9.8 Critical rating — one of the highest severity levels possible — due to its unauthenticated, network-accessible, no-interaction-required attack profile
HCL Unica versions 25.1.1 and below are confirmed affected; organizations should assess their deployed versions immediately
No official patch is available as of March 17, 2026 — network isolation and WAF deployment are the only interim controls
The combination of enterprise deployment (large-scale customer PII databases) and unauthenticated access makes this vulnerability extremely high risk for any internet-facing Unica instance
No public exploit code has been disclosed, but the CVSS 9.8 score and straightforward exploitation path make weaponization highly likely once this gains wider attention
Monitor HCL Support KB0129410 and apply the official patch immediately upon release

Sources

CVE-2025-62319: Unauthenticated SQL Injection in HCL Unica Marketing Platform

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2025-62319
CVSS v3.1 Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
CWE Classification	CWE-89 — Improper Neutralization of Special Elements in SQL Commands
Vendor	HCL Software
Affected Product	HCL Unica
Affected Versions	25.1.1 and below
Attack Vector	Network (Remote)
Privileges Required	None
User Interaction	None
Patch Available	None confirmed
Public Exploit	None disclosed

Technical Details

How Boolean-based blind SQLi works:

' AND 1=1--   →  TRUE condition  →  normal application response
' AND 1=2--   →  FALSE condition →  different/truncated response

Why CVSS 9.8 Is Warranted

The maximum possible CVSS score is 10.0. This vulnerability scores 9.8 because:

No authentication required — the injection point is reachable without any login or session
No user interaction — exploitation is fully automated
Low attack complexity — no race conditions, special configurations, or prerequisites
Full CIA triad impact — Confidentiality, Integrity, and Availability are all rated High

An attacker with network access to the HCL Unica instance can extract, modify, or destroy all data in the backend database without any credentials.

Affected Product: HCL Unica

Customer personally identifiable information (PII)
Campaign targeting and behavioral data
Marketing credentials and API integrations
Internal organizational configuration

The HCL Software support bulletin KB0129410 references the vulnerability within the HCL Unica/AION product lines, though the full remediation details require authenticated portal access.

Attack Scenario

1. Attacker identifies an internet-accessible HCL Unica deployment

2. Attacker probes the application for SQL injection points
   without providing any credentials

3. Boolean-based injection payloads are submitted to vulnerable parameters

4. Application responses (HTTP status, page content, response timing) are
   compared for TRUE vs. FALSE conditions

5. Automated tooling (e.g., sqlmap) iterates through all database tables
   and extracts full contents

6. Attacker obtains customer PII, campaign data, internal credentials,
   and configuration secrets from the database

7. Exfiltrated data can be used for further attacks, sold, or ransomed

Impact Assessment

Impact Area	Description
Customer Data Exposure	Full database contents accessible — customer PII, behavioral profiles, contact data
Credential Compromise	Application credentials, API keys, and integration tokens stored in the database
Data Manipulation	Attacker can insert, modify, or delete records — corrupting campaign data and analytics
Compliance Risk	GDPR, CCPA, HIPAA violations likely if customer PII is exfiltrated
Business Impact	Marketing platform disruption; campaign data destruction; regulatory fines
Lateral Movement Risk	Database credentials may enable pivot to internal systems

Remediation

Immediate Mitigations (No Patch Available)

Since no official patch has been released, organizations running HCL Unica 25.1.1 or earlier should implement the following interim controls immediately:

Restrict network access — Place HCL Unica behind a VPN or network-level access control; block public internet exposure at the firewall
Deploy a Web Application Firewall (WAF) — Enable SQL injection detection rules in Cloudflare WAF, AWS WAF, ModSecurity, or equivalent
Enable database activity monitoring — Alert on unusual query volumes, enumeration patterns, or access from unexpected sources
Audit existing access — Review HCL Unica access logs for anomalous SQL-pattern traffic or unexpected data exports
Monitor HCL Support KB0129410 — Watch for patch availability through HCL's authenticated support portal
Limit database user privileges — Ensure the HCL Unica database user operates with least-privilege (no FILE, SUPER, or DROP permissions)
Enable audit logging — Activate database-level query logging to detect exploitation attempts

For HCL Unica Administrators

Contact HCL Software support to obtain patch availability details for your specific version
Review the HCL Support knowledge base article KB0129410 for official guidance
Subscribe to HCL security advisories for notification when a patch is released

Key Takeaways

CVE-2025-62319 carries a CVSS 9.8 Critical rating — one of the highest severity levels possible — due to its unauthenticated, network-accessible, no-interaction-required attack profile
HCL Unica versions 25.1.1 and below are confirmed affected; organizations should assess their deployed versions immediately
No official patch is available as of March 17, 2026 — network isolation and WAF deployment are the only interim controls
The combination of enterprise deployment (large-scale customer PII databases) and unauthenticated access makes this vulnerability extremely high risk for any internet-facing Unica instance
No public exploit code has been disclosed, but the CVSS 9.8 score and straightforward exploitation path make weaponization highly likely once this gains wider attention
Monitor HCL Support KB0129410 and apply the official patch immediately upon release

CVE-2025-62319: Critical SQL Injection in HCL Unica (CVSS 9.8)

Affected Products

CVE-2025-62319: Unauthenticated SQL Injection in HCL Unica Marketing Platform

Vulnerability Overview

Technical Details

Vulnerability Type: Boolean-Based Blind SQL Injection

Why CVSS 9.8 Is Warranted

Affected Product: HCL Unica

Attack Scenario

Impact Assessment

Remediation

Immediate Mitigations (No Patch Available)

For HCL Unica Administrators

Key Takeaways

Sources

CVE-2026-3730: SQL Injection in itsourcecode Free Hotel

CVE-2026-3740: SQL Injection in itsourcecode University

CVE-2026-3746: SQL Injection in SourceCodester Simple

CVE-2025-62319: Critical SQL Injection in HCL Unica (CVSS 9.8)

Affected Products

CVE-2025-62319: Unauthenticated SQL Injection in HCL Unica Marketing Platform

Vulnerability Overview

Technical Details

Vulnerability Type: Boolean-Based Blind SQL Injection

Why CVSS 9.8 Is Warranted

Affected Product: HCL Unica

Attack Scenario

Impact Assessment

Remediation

Immediate Mitigations (No Patch Available)

For HCL Unica Administrators

Key Takeaways

Sources

CVE-2026-3730: SQL Injection in itsourcecode Free Hotel

CVE-2026-3740: SQL Injection in itsourcecode University

CVE-2026-3746: SQL Injection in SourceCodester Simple