Skip to main content

HCL BigFix SM CVE-2025-31973

| EUVDEUVD-2025-209905 MEDIUM
2026-05-20 psirt@hcl.com GHSA-4m6q-wqc9-g2m5
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 12:30 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) is susceptible to a Configuration - 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment.

AnalysisAI

HCL BigFix Service Management (SM) ships container deployments built on outdated or insecure base images, inheriting known vulnerabilities from those upstream layers rather than introducing a discrete code-level flaw. The CVSS vector (AV:L/PR:H/UI:R) constrains real-world risk significantly: exploitation requires local access, high privileges, and user interaction, making opportunistic remote attack unlikely. The actual exploitability and impact depend entirely on which specific vulnerabilities are present in the underlying base image versions in use. No public exploit code and no CISA KEV listing exist at the time of analysis.

Technical ContextAI

The vulnerability class is an insecure software supply chain configuration practice where container base images - the OS or runtime layers upon which the application image is built - are pinned to outdated versions. These outdated base images may contain CVEs in system libraries (e.g., glibc, OpenSSL, curl) or package managers inherited at build time. No CWE identifier was assigned by NVD, though this pattern aligns broadly with CWE-1104 (Use of Unmaintained Third Party Components) or CWE-657 (Violation of Secure Design Principles). The affected product is HCL BigFix Service Management (SM), a containerized IT service management platform. No CPE strings were provided in the source data, so exact affected versions and container registry coordinates cannot be independently confirmed from this advisory alone.

RemediationAI

The primary remediation is to rebuild HCL BigFix Service Management container images using current, patched base images and redeploy. HCL's advisory KB0128144 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 should be consulted for the specific updated image versions or patch packages provided by the vendor. No exact fix version was supplied in the available data, so the patch version cannot be independently confirmed - the advisory should be treated as the authoritative source. As a compensating control pending a formal upgrade, organizations can scan running container images with a container vulnerability scanner (e.g., Trivy, Grype, Anchore) to enumerate which specific CVEs are inherited from the outdated base layer, prioritizing remediation of those with network-exposed, unauthenticated attack vectors. Restricting privileged access to the containerized environment limits the local, high-privilege exploitation path described in the CVSS vector. Implementing a container image policy that blocks deployment of images with base layers older than a defined threshold (e.g., 90 days) reduces ongoing exposure. Note that updating base images requires rebuilding and redeploying the application, which may require coordination with change management processes.

Share

CVE-2025-31973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy