Skip to main content

BigFix Remote Control CVE-2026-21785

| EUVDEUVD-2026-32658 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-05-27 psirt@hcl.com GHSA-6x6f-pfq2-m75m
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 22:27 vuln.today

DescriptionCVE.org

A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.

AnalysisAI

HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.

Technical ContextAI

Content Security Policy (CSP) is an HTTP response header mechanism that restricts which origins a browser may load scripts, styles, frames, and other resources from. When a CSP omits directives without a catch-all fallback (typically default-src), browsers revert to their permissive built-in defaults for those unspecified resource types, effectively nullifying that portion of the policy. CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) maps to this class of flaw, which includes missing frame-ancestors or frame-src directives that can enable clickjacking or unauthorized framing alongside cross-origin script injection. The affected component is the HCL BigFix Remote Control Server WebUI - BigFix Remote Control is an enterprise endpoint remote-management platform widely deployed in corporate IT environments. No explicit CPE string was included in the intelligence data; the affected product is identified from EUVD-2026-32658 and the NVD description as BigFix Remote Control Server versions 10.1.0.0442 and earlier.

RemediationAI

Consult the HCL PSIRT advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130581 to identify the specific patched release and apply it; no confirmed fixed version number was present in the available intelligence data, so citing KB0130581 as the authoritative patch reference is mandatory before scheduling the upgrade. As an interim compensating control where immediate patching is not feasible, a reverse proxy or WAF can inject a corrected Content-Security-Policy response header enforcing default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none'; object-src 'none' - note that overly restrictive overrides may break legitimate application functionality if the WebUI loads resources from CDNs or partner origins, requiring regression testing. Additionally, restrict WebUI network access to trusted internal management VLANs or VPN-only segments to limit exposure of the high-privilege interface and reduce the network-accessible (AV:N) attack surface while the patch is evaluated.

Share

CVE-2026-21785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy