CVE-2025-15634

Published May 9, 2026

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15634 describes a missing authorization vulnerability found within HCL BigFix WebUI. This flaw allows an authenticated user, even one without the necessary permissions, to access sensitive environmental information. This access is achieved by directly navigating to unauthorized pages through their specific URLs. The vulnerability impacts all versions of HCL BigFix WebUI. As of the current information, there is no official patch or remediation provided by the vendor, and no exploits are publicly reported in the wild.

Description
A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
Source
psirt@hcl.com
NVD status
Analyzed
Products
bigfix_webui_api, bigfix_webui_application_administration, bigfix_webui_cmep, bigfix_webui_common, bigfix_webui_content_app, bigfix_webui_custom, bigfix_webui_data_sync, bigfix_webui_extensions, bigfix_webui_framework, bigfix_webui_insights, bigfix_webui_ivr, bigfix_webui_mdm, bigfix_webui_patch, bigfix_webui_patch_policies, bigfix_webui_permissions_and_preferences, bigfix_webui_profile_management, bigfix_webui_query, bigfix_webui_reports, bigfix_webui_scm, bigfix_webui_software_distribution, bigfix_webui_take_action

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
4.3
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

psirt@hcl.com
CWE-862

Social media

Hype score
Not currently trending

Configurations