Skip to main content

Bigfix Service Management Sm EUVDEUVD-2025-209693

| CVE-2025-31976 HIGH
Information Exposure (CWE-200)
2026-05-06 HCL GHSA-hv3j-f356-x9xp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network confidentiality-only exposure (C:H, I:N, A:N) with no auth, but AC:H because the attacker must be positioned to capture the credential during a short transient communication window.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 29, 2026 - 15:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 15:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 15:07 vuln.today
cvss_changed
Severity Changed
Jun 29, 2026 - 15:07 NVD
MEDIUM HIGH
CVSS changed
Jun 29, 2026 - 15:07 NVD
4.8 (MEDIUM) 7.5 (HIGH)
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionNVD

HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .

AnalysisAI

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a brief window while the application communicates with an internal backend service, which an attacker who can capture that traffic could reuse to authenticate to the backend. The flaw was self-reported by HCL and carries a CVSS 7.5 (confidentiality-only) rating; there is no public exploit identified at time of analysis and EPSS is negligible (0.03%, 8th percentile). CISA's SSVC framing rates exploitation as none and the issue as not automatable, indicating low immediate urgency.

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

CVE-2025-31975 LOW
2.6 May 06

HCL BigFix Service Management exposes server banner information containing software versions and system details accessib

Share

EUVD-2025-209693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy