Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
AnalysisAI
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated users to inject formulas or malicious content that executes when recipients open the files in spreadsheet applications. An attacker with legitimate service management access can craft payloads in data fields that, when exported and opened by targeted users, may exfiltrate information or trigger unintended actions-though modern Excel versions mitigate this with untrusted content warnings. CVSS 4.6 reflects moderate risk limited to authenticated users and required user interaction (opening the file).
Technical ContextAI
The vulnerability stems from improper handling of user-controlled data during spreadsheet file generation. When BigFix SM exports service management records to CSV, XLS, or XLSX formats, it does not escape or sanitize formula prefixes (e.g., =, +, @, -) that spreadsheet applications interpret as executable content. This is a manifestation of CWE-201 (Exposure of Sensitive Information Through an Error Message) extended to formula injection-a subset of CSV injection attacks. The root cause is the absence of input validation or output encoding specifically tailored to spreadsheet formats, which treat certain prefixes as directives rather than literal text. Affected systems run any version of HCL BigFix Service Management (cpe:2.3:a:hcl_software:bigfix_service_management_(sm):*:*:*:*:*:*:*:*), indicating vulnerability spans the entire product line until patched.
RemediationAI
Apply the vendor-released patch specified in the HCL KB article (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144)-consult this reference for exact patched version numbers. Interim mitigations include: (1) restrict export functionality to trusted internal users only by applying role-based access controls in BigFix SM; (2) disable CSV/XLS/XLSX export features in BigFix SM if not operationally necessary, accepting the loss of data export capability; (3) educate users receiving spreadsheet exports to enable formula auditing or disable automatic formula execution in Excel (via macro security settings), at the cost of reduced spreadsheet usability; (4) configure endpoint protection to block execution of suspicious formulas in spreadsheet software. The most effective control pending patch deployment is limiting export access to authenticated users known to be trustworthy, since the attack requires both authentication and victim interaction.
More in Bigfix Service Management Sm
View allCredential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b
HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing
HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s
HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver
HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated
HCL BigFix Service Management exposes server banner information containing software versions and system details accessib
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209695