Skip to main content

HCL BigFix Service Management CVE-2025-31982

| EUVDEUVD-2025-209697 LOW
Information Exposure (CWE-200)
2026-05-06 HCL GHSA-r7c2-39pq-6jh8
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.

AnalysisAI

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface but can be reached through direct URL access, enabling authenticated users with low privileges to disclose sensitive information or access restricted functionality. The vulnerability requires authenticated access, user interaction, and higher-than-average attack complexity; active exploitation status has not been confirmed.

Technical ContextAI

HCL BigFix Service Management (SM) is an IT operations and change management platform. The vulnerability stems from improper access controls on web application directories (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). These directories lack proper authentication or authorization checks despite not being exposed through normal navigation paths. An attacker who gains low-privilege authenticated access (PR:L per CVSS vector) and can interact with a logged-in user (UI:R) can construct direct URLs to reach these hidden directories, bypassing the intended user interface abstraction layer. The attack vector is network-based (AV:N), but requires authenticated session context and user interaction, limiting attack surface.

RemediationAI

HCL has released security updates addressing this vulnerability; customers should consult HCL support bulletin KB0128144 for specific patched version numbers and upgrade timelines. Immediate compensating controls include: (1) Restrict direct URL access to BigFix SM administrative directories using web application firewall (WAF) rules or reverse proxy configurations to block requests to known sensitive paths, noting this may impact legitimate administrative workflows and must be tested in staging; (2) Implement IP-based access controls limiting BigFix SM access to trusted administrative networks and VPN ranges, reducing exposure to opportunistic remote attackers; (3) Enforce multi-factor authentication (MFA) for all BigFix SM user accounts, particularly administrative and service accounts, to prevent low-privilege authenticated access even if credentials are compromised; (4) Audit and revoke unnecessary low-privilege accounts, minimizing the PR:L attack surface. These controls are temporary pending patching and should not replace vendor updates.

CVE-2024-30151 HIGH
8.3 May 06

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

Share

CVE-2025-31982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy