Skip to main content

BigFix Cloud Lifecycle Management EUVDEUVD-2025-210065

| CVE-2025-62338 LOW
2026-06-04 HCL GHSA-r74h-mwp4-5mm3
3.3
CVSS 3.1 · NVD

Severity by source

Vendor (HCL) PRIMARY
LOW
qualitative
NVD
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (HCL).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 14:16 vuln.today

DescriptionCVE.org

The HCL BigFix Cloud Lifecycle Management is affected by Lack Of Input Validation. It may leads to an information exposure vulnerability. This low-level flaw allows unauthorized access.

AnalysisAI

Local information exposure in HCL BigFix Cloud Lifecycle Management stems from insufficient input validation, allowing a locally authenticated low-privileged user to access data they should not be authorized to view. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires local system access and a low-privilege account. No active exploitation has been confirmed and no public exploit code is known at time of analysis. Despite a tag of 'Authentication Bypass,' the PR:L vector indicates some authentication is required - this discrepancy should be clarified with the vendor advisory.

Technical ContextAI

HCL BigFix Cloud Lifecycle Management is an enterprise IT automation platform for managing cloud workloads and lifecycle operations. The vulnerability is rooted in a lack of input validation (the description's stated root cause), which permits unintended data access paths. The CWE classification was not provided by the reporter, but based on the description and tags, the behavior is consistent with CWE-20 (Improper Input Validation) leading to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CPE string cpe:2.3:a:hcl:bigfix_cloud_lifecycle_management:*:*:*:*:*:*:*:* uses a wildcard version component, meaning NVD has not constrained the affected version range to specific releases - all known versions of the product must be treated as potentially affected until vendor confirmation narrows the scope.

RemediationAI

Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130802 for patching guidance; the input data indicates a patch is available per vendor advisory but does not specify an exact fixed version number, so the precise upgrade target must be confirmed from that source. As an interim compensating control, restrict local system access to BigFix Cloud Lifecycle Management hosts to only those accounts that strictly require it, thereby reducing the pool of potential low-privilege users who could trigger the flaw. Audit local user accounts on affected hosts and remove unnecessary permissions. Additionally, review and restrict filesystem or API permissions on sensitive data paths exposed by the platform, as this may limit the confidentiality impact even if the underlying validation flaw is not yet patched. These mitigations carry the trade-off of operational overhead in access management but do not resolve the root cause.

Share

EUVD-2025-210065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy