Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (HCL).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The HCL BigFix Cloud Lifecycle Management is affected by Lack Of Input Validation. It may leads to an information exposure vulnerability. This low-level flaw allows unauthorized access.
AnalysisAI
Local information exposure in HCL BigFix Cloud Lifecycle Management stems from insufficient input validation, allowing a locally authenticated low-privileged user to access data they should not be authorized to view. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires local system access and a low-privilege account. No active exploitation has been confirmed and no public exploit code is known at time of analysis. Despite a tag of 'Authentication Bypass,' the PR:L vector indicates some authentication is required - this discrepancy should be clarified with the vendor advisory.
Technical ContextAI
HCL BigFix Cloud Lifecycle Management is an enterprise IT automation platform for managing cloud workloads and lifecycle operations. The vulnerability is rooted in a lack of input validation (the description's stated root cause), which permits unintended data access paths. The CWE classification was not provided by the reporter, but based on the description and tags, the behavior is consistent with CWE-20 (Improper Input Validation) leading to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CPE string cpe:2.3:a:hcl:bigfix_cloud_lifecycle_management:*:*:*:*:*:*:*:* uses a wildcard version component, meaning NVD has not constrained the affected version range to specific releases - all known versions of the product must be treated as potentially affected until vendor confirmation narrows the scope.
RemediationAI
Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130802 for patching guidance; the input data indicates a patch is available per vendor advisory but does not specify an exact fixed version number, so the precise upgrade target must be confirmed from that source. As an interim compensating control, restrict local system access to BigFix Cloud Lifecycle Management hosts to only those accounts that strictly require it, thereby reducing the pool of potential low-privilege users who could trigger the flaw. Audit local user accounts on affected hosts and remove unnecessary permissions. Additionally, review and restrict filesystem or API permissions on sensitive data paths exposed by the platform, as this may limit the confidentiality impact even if the underlying validation flaw is not yet patched. These mitigations carry the trade-off of operational overhead in access management but do not resolve the root cause.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210065
GHSA-r74h-mwp4-5mm3