Skip to main content

HCL BigFix Service Management CVE-2025-31978

| EUVDEUVD-2025-209695 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-06 HCL
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
CVSS changed
Jun 29, 2026 - 15:07 NVD
4.6 (MEDIUM) 4.3 (MEDIUM)
Analysis Generated
May 06, 2026 - 15:01 vuln.today

DescriptionNVD

HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

AnalysisAI

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated users to inject formulas or malicious content that executes when recipients open the files in spreadsheet applications. An attacker with legitimate service management access can craft payloads in data fields that, when exported and opened by targeted users, may exfiltrate information or trigger unintended actions-though modern Excel versions mitigate this with untrusted content warnings. CVSS 4.6 reflects moderate risk limited to authenticated users and required user interaction (opening the file).

Technical ContextAI

The vulnerability stems from improper handling of user-controlled data during spreadsheet file generation. When BigFix SM exports service management records to CSV, XLS, or XLSX formats, it does not escape or sanitize formula prefixes (e.g., =, +, @, -) that spreadsheet applications interpret as executable content. This is a manifestation of CWE-201 (Exposure of Sensitive Information Through an Error Message) extended to formula injection-a subset of CSV injection attacks. The root cause is the absence of input validation or output encoding specifically tailored to spreadsheet formats, which treat certain prefixes as directives rather than literal text. Affected systems run any version of HCL BigFix Service Management (cpe:2.3:a:hcl_software:bigfix_service_management_(sm):*:*:*:*:*:*:*:*), indicating vulnerability spans the entire product line until patched.

RemediationAI

Apply the vendor-released patch specified in the HCL KB article (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144)-consult this reference for exact patched version numbers. Interim mitigations include: (1) restrict export functionality to trusted internal users only by applying role-based access controls in BigFix SM; (2) disable CSV/XLS/XLSX export features in BigFix SM if not operationally necessary, accepting the loss of data export capability; (3) educate users receiving spreadsheet exports to enable formula auditing or disable automatic formula execution in Excel (via macro security settings), at the cost of reduced spreadsheet usability; (4) configure endpoint protection to block execution of suspicious formulas in spreadsheet software. The most effective control pending patch deployment is limiting export access to authenticated users known to be trustworthy, since the attack requires both authentication and victim interaction.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

CVE-2025-31975 LOW
2.6 May 06

HCL BigFix Service Management exposes server banner information containing software versions and system details accessib

Share

CVE-2025-31978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy