Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network confidentiality-only exposure (C:H, I:N, A:N) with no auth, but AC:H because the attacker must be positioned to capture the credential during a short transient communication window.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionNVD
HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .
AnalysisAI
Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a brief window while the application communicates with an internal backend service, which an attacker who can capture that traffic could reuse to authenticate to the backend. The flaw was self-reported by HCL and carries a CVSS 7.5 (confidentiality-only) rating; there is no public exploit identified at time of analysis and EPSS is negligible (0.03%, 8th percentile). CISA's SSVC framing rates exploitation as none and the issue as not automatable, indicating low immediate urgency.
More in Bigfix Service Management Sm
View allHCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing
HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s
HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver
HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated
HCL BigFix Service Management exposes server banner information containing software versions and system details accessib
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209693
GHSA-hv3j-f356-x9xp