A high-severity vulnerability has been identified in multiple HCL Technologies products, allowing for CSV formula injection. An attacker could exploit this by tricking a user into opening a malicious CSV file, which could lead to the execution of arbitrary commands, data theft, or compromise of the user's workstation.

The vulnerability exists because the affected HCL products do not properly sanitize data before exporting it to a CSV file format. An attacker can embed malicious formulas (e.g., starting with =, +, -, or @) into data fields that will be included in a CSV export. When a victim opens this specially crafted CSV file using a spreadsheet application like Microsoft Excel or LibreOffice Calc, the application may interpret and execute these formulas, leading to consequences such as remote code execution, data exfiltration via hyperlink functions, or execution of local system commands.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have a significant negative impact on the organization. Potential consequences include the exfiltration of sensitive corporate or customer data, compromise of user credentials, and the deployment of malware or ransomware on an employee's computer. This could lead to financial loss, regulatory penalties, reputational damage, and provide a foothold for an attacker to move laterally within the corporate network.

Immediate Action: Apply the security updates released by HCL Technologies immediately across all affected products. After patching, it is critical to monitor for any signs of attempted exploitation by reviewing application and access logs for suspicious activity that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Security teams should look for unusual outbound network connections from workstations immediately after a user opens a CSV file. Monitor endpoint security logs for spreadsheet applications (e.g., EXCEL.EXE) spawning unexpected child processes, such as cmd.exe, powershell.exe, or mshta.exe.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• User Awareness Training: Educate users on the risks of opening CSV files from untrusted sources and instruct them to disable automatic execution of formulas or macros in their spreadsheet software.
• Endpoint Security: Ensure Endpoint Detection and Response (EDR) solutions are configured with rules to detect and block suspicious process chains originating from spreadsheet applications.
• Data Sanitization: If possible, implement a proxy or script to sanitize CSV files at the point of download, prefixing any cell that begins with =, +, -, or @ with a single quote (') to prevent formula execution.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for remote code execution and data exfiltration, this vulnerability poses a significant risk to the organization. While it is not currently listed on the CISA KEV catalog, its impact warrants immediate attention. We strongly recommend that all affected HCL products are patched on an emergency basis. In parallel, security teams should implement the proactive monitoring and compensating controls detailed above to reduce the attack surface and improve detection capabilities until patching is complete.