Severity by source
AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access.
AnalysisAI
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.
Technical ContextAI
WSGI (Web Server Gateway Interface) is a standard Python web application interface specification. The vulnerability stems from deploying an outdated or misconfigured WSGI server (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) within BigFix Service Management's application stack. Vulnerable WSGI servers may lack critical security patches addressing authentication bypass, input validation flaws, or information exposure. The affected product is identified by CPE cpe:2.3:a:hcl:bigfix_service_management_(sm):*:*:*:*:*:*:*:*, indicating all versions are potentially affected until patched.
RemediationAI
Update HCL BigFix Service Management to a patched version that includes a secure, current WSGI server implementation. Consult HCL support KB article KB0128144 for exact patched version numbers and upgrade procedures. As an interim compensating control, restrict network access to BigFix SM administration interfaces to trusted internal networks only (AV:A mitigation), requiring adjacent-network or physically proximate access to reduce remote exploitation risk. Disable unnecessary features or protocols if the WSGI server exposes unneeded endpoints. Review and enforce strong authentication policies for all service accounts accessing BigFix SM. Monitor authentication logs for suspicious activity. If patched versions are not yet available, consider applying security hardening recommendations from HCL's advisory and evaluating alternative WSGI server implementations if permitted by the architecture.
More in Bigfix Service Management Sm
View allCredential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b
HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing
HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s
HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver
HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated
HCL BigFix Service Management exposes server banner information containing software versions and system details accessib
Same weakness CWE-200 – Information Exposure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209702
GHSA-vrr6-hxxc-pgc8