What is the CVSS score of CVE-2025-59874?

CVE-2025-59874 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of HCL Hive are affected by CVE-2025-59874?

HCL Hive Telco Observability's Keycloak authentication component contains a Content Security Policy configuration weakness that allows remote attackers to bypass browser protections and compromise…

How to fix or mitigate CVE-2025-59874?

Within 24 hours: Identify all HCL Hive Telco Observability deployments and assess the scope of Keycloak exposure; enable detailed authentication and session event logging. Within 7 days: Deploy web application firewall rules to block script injection attempts; harden Content Security Policy headers with strict directives limiting script sources; mandate multi-factor authentication for all Keycloak administrative accounts. Within 30 days: Establish communication with HCL for patch availability and timeline; conduct third-party security assessment of Keycloak configuration; evaluate phased migration to alternative identity platforms if patch timeline exceeds acceptable risk window.

HCL Hive CVE-2025-59874

EUVD-2025-210064 HIGH

OWASP Top Ten 2017 Category A1 - Injection (CWE-1027)

2026-06-04 HCL

GHSA-2787-q92c-v934

Information Disclosure Hive

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 04, 2026 - 14:16 vuln.today

DescriptionCVE.org

HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable.

AnalysisAI

Content Security Policy weakness in HCL Hive Telco Observability's Keycloak authentication component allows remote attackers to leverage missing CSP directives for client-side attacks against authenticated users. The CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) rating reflects high confidentiality and integrity impact contingent on user interaction, with no public exploit identified at time of analysis. The flaw resides in the web application's browser security headers rather than server-side logic.

Technical ContextAI

The vulnerability sits within the Keycloak identity-and-access-management component embedded in HCL Hive Telco Observability, an OSS/BSS observability platform for telecommunications operators. CWE-1027 (Outdated/Insufficient Browser Compatibility/Mitigation - here applied to missing CSP directives) describes a configuration weakness where the Content-Security-Policy HTTP response header lacks required directives such as default-src, script-src, frame-ancestors, or object-src. Without these directives, the browser falls back to permissive defaults, allowing inline scripts, third-party resource loading, or framing that proper CSP would block. Because Keycloak commonly hosts login, token, and admin endpoints, missing CSP directives there expose authentication flows to client-side injection or clickjacking-style attacks.

RemediationAI

Patch availability is not explicitly stated in the input data - consult the HCL knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128725 for vendor-released fix versions and apply the upgrade once identified. As a compensating control until patched, deploy a reverse proxy or WAF in front of the Hive Keycloak endpoints to inject a strict Content-Security-Policy header (e.g., default-src 'self'; frame-ancestors 'none'; object-src 'none'; script-src 'self' with nonces), accepting the trade-off that overly tight directives may break legitimate Keycloak login themes or embedded admin UIs and require tuning. Additionally enforce X-Frame-Options: DENY to mitigate clickjacking exposure, and restrict Keycloak admin console reachability to management networks to reduce the user-interaction attack surface.

CVE-2025-59874 vulnerability details – vuln.today

Back