- Description
- An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
- Source
- psirt@hcl.com
- NVD status
- Analyzed
- Products
- bigfix_webui_api, bigfix_webui_application_administration, bigfix_webui_cmep, bigfix_webui_common, bigfix_webui_content_app, bigfix_webui_custom, bigfix_webui_data_sync, bigfix_webui_extensions, bigfix_webui_framework, bigfix_webui_insights, bigfix_webui_ivr, bigfix_webui_mdm, bigfix_webui_patch, bigfix_webui_patch_policies, bigfix_webui_permissions_and_preferences, bigfix_webui_profile_management, bigfix_webui_query, bigfix_webui_reports, bigfix_webui_scm, bigfix_webui_software_distribution, bigfix_webui_take_action
CVSS 4.0
- Type
- Secondary
- Base score
- 5.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- psirt@hcl.com
- CWE-863
- Hype score
- Not currently trending
⚡ New CVE Alert: CVE-2025-15633 📊 Severity: 5.3 🚨 Risk Level: Medium 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/fcglcHkpJw #CVE-2025-15633 #CVE #Medium #CyberSecurity #InfoSec https://t.co/AOJqPr6JDC
@CVEarity
11 May 2026
166 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-15633 An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versi… https://t.co/OgscQLXdLs
@CVEnew
9 May 2026
227 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-15633 Improper Authorization in HCL BigFix WebUI Allows Privilege Bypass https://t.co/q4y44CEEoi
@VulmonFeeds
9 May 2026
242 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8680650F-B404-4812-AD8D-F93A7F52C20B",
"versionEndExcluding": "33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_application_administration:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8757E08-9B05-45FD-BEAC-7D27423C7FC4",
"versionEndExcluding": "40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_cmep:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD60E500-25B7-42B4-8B0E-D84967B78AF4",
"versionEndExcluding": "22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_common:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6441EA2-8CF7-4A3B-8AD8-BBE2A62E5DF4",
"versionEndExcluding": "101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_content_app:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFE1EED8-C5C9-47CD-B20E-E5D113B4DF48",
"versionEndExcluding": "28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_custom:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92437F31-8DD7-4440-AF6A-02B5DDA55A3F",
"versionEndExcluding": "50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_data_sync:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3C0E3C-1CE1-43FC-9B4C-8D0EE77E3E10",
"versionEndExcluding": "37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_extensions:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F22F7CB-24CC-445F-87D9-CB0B4346401E",
"versionEndExcluding": "14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7C2A16C-A840-47FF-9272-A17BD4CD7499",
"versionEndExcluding": "35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_insights:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97643BD1-2CE5-43A4-86C9-C25EE643E977",
"versionEndExcluding": "32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_ivr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58DA2A15-7F8A-4D04-A158-18CBB803BF8C",
"versionEndExcluding": "23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_mdm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A1287A97-8E7A-4B5F-BE14-2D871BD2E886",
"versionEndExcluding": "29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_patch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CA0410D-FC23-4F02-B460-3AAF36534B35",
"versionEndExcluding": "54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_patch_policies:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99FC5DA2-E98F-4EE7-ABC1-9CAE3141DE63",
"versionEndExcluding": "51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_permissions_and_preferences:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14A1AC9F-42FA-4CEA-9198-78F902069EB5",
"versionEndExcluding": "27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_profile_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EC90454-5ACF-437A-98E5-4FA331436BAB",
"versionEndExcluding": "33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_query:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9399A9A-9034-45E1-848A-96618F90AE9A",
"versionEndExcluding": "45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_reports:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76DCC419-4FDB-4863-847D-346BF4EC3458",
"versionEndExcluding": "24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_scm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5AF61FBA-D9FA-4D8F-9C63-BDB7266281E3",
"versionEndExcluding": "20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_software_distribution:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78E47D3B-035E-4B5A-90FB-B15262EE93F0",
"versionEndExcluding": "54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hcltech:bigfix_webui_take_action:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E08C0D1-A177-40F8-B5E0-EA14D66B38FC",
"versionEndExcluding": "37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]