Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.
AnalysisAI
HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface but can be reached through direct URL access, enabling authenticated users with low privileges to disclose sensitive information or access restricted functionality. The vulnerability requires authenticated access, user interaction, and higher-than-average attack complexity; active exploitation status has not been confirmed.
Technical ContextAI
HCL BigFix Service Management (SM) is an IT operations and change management platform. The vulnerability stems from improper access controls on web application directories (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). These directories lack proper authentication or authorization checks despite not being exposed through normal navigation paths. An attacker who gains low-privilege authenticated access (PR:L per CVSS vector) and can interact with a logged-in user (UI:R) can construct direct URLs to reach these hidden directories, bypassing the intended user interface abstraction layer. The attack vector is network-based (AV:N), but requires authenticated session context and user interaction, limiting attack surface.
RemediationAI
HCL has released security updates addressing this vulnerability; customers should consult HCL support bulletin KB0128144 for specific patched version numbers and upgrade timelines. Immediate compensating controls include: (1) Restrict direct URL access to BigFix SM administrative directories using web application firewall (WAF) rules or reverse proxy configurations to block requests to known sensitive paths, noting this may impact legitimate administrative workflows and must be tested in staging; (2) Implement IP-based access controls limiting BigFix SM access to trusted administrative networks and VPN ranges, reducing exposure to opportunistic remote attackers; (3) Enforce multi-factor authentication (MFA) for all BigFix SM user accounts, particularly administrative and service accounts, to prevent low-privilege authenticated access even if credentials are compromised; (4) Audit and revoke unnecessary low-privilege accounts, minimizing the PR:L attack surface. These controls are temporary pending patching and should not replace vendor updates.
More in Bigfix Service Management Sm
View allHCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.
Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b
HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s
HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver
HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209697
GHSA-r7c2-39pq-6jh8