An OS command injection vulnerability in the HCL Digital Experience Digital Asset Management API poses a high risk of unauthorized system command execution.

The vulnerability exists in the Digital Asset Management API, where insufficient sanitization of user-supplied input allows for OS command injection. This flaw permits an attacker to execute arbitrary system commands, typically requiring access to the affected API component.

With a CVSS score of 8.8, this vulnerability represents a high-severity threat. Successful exploitation grants an attacker the ability to execute commands with the privileges of the application, which may lead to full server compromise, lateral movement within the network, and unauthorized access to sensitive business data.

Immediate Action: Consult the official HCL security advisory to identify and apply the latest security patches or cumulative fixes for the Digital Experience platform.

Proactive Monitoring: Monitor server logs for anomalous process execution or unexpected system command invocations originating from the web application service account.

Compensating Controls: Implement strict input validation at the WAF level to intercept and block common OS command injection payloads before they reach the API.

Public Exploit Available: False

Organizations utilizing HCL Digital Experience should treat this vulnerability with high urgency. It is recommended to monitor official HCL channels for patch releases and apply them as soon as they become available to mitigate the risk of remote command execution.