CVE-2025-15633

MEDIUM

HCL BigFix WebUI is affected by an improper authorization vulnerability

Title source: cna

Description

An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.

References (1)

Core 1

Core References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (22)

HCLSoftware/BigFix WebUI all versions

hcltech/bigfix_webui_api < 33

hcltech/bigfix_webui_application_administration < 40

hcltech/bigfix_webui_cmep < 22

hcltech/bigfix_webui_common < 101

hcltech/bigfix_webui_content_app < 28

hcltech/bigfix_webui_custom < 50

hcltech/bigfix_webui_data_sync < 37

hcltech/bigfix_webui_extensions < 14

hcltech/bigfix_webui_framework < 35

... and 12 more

Published May 09, 2026

Tracked Since May 09, 2026