Description
HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking.
Published: 2026-04-21
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Security Control Bypass via HTTP Request Smuggling
Action: Monitor
AI Analysis

Impact

HTTP Request Smuggling occurs when a front‑end and back‑end server parse the same request differently, allowing an attacker to split or duplicate a request. In HCL BigFix Service Management, this flaw can let a malicious actor trick the system into ignoring request boundaries, potentially bypassing authentication or other security controls. The vulnerability is classified as CWE-444 and can lead to cache poisoning or request hijacking.

Affected Systems

The product affected is HCLSoftware: BigFix Service Management (SM). No specific version information is provided, so the issue may be relevant to all installations of the product that employ the implicated HTTP request handling components.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity, and the lack of an EPSS score suggests limited publicly known exploitation activity. It is not listed in the CISA KEV catalog. The attack requires crafting malicious HTTP requests and exploiting server parsing inconsistencies, meaning the threat surface is confined to environments that expose the SM web interface. Overall risk is moderate, mainly due to the potential to bypass controls even though the impact is limited by the low CVSS value.

Generated by OpenCVE AI on April 21, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Follow the vendor's guidance (e.g., the HCL support article KB0124209) to apply any available patch or update to the latest BigFix Service Management release.
  • Ensure that the front‑end and back‑end web servers are configured with identical request parsing rules to eliminate inconsistencies that enable smuggling.
  • Deploy a Web Application Firewall or HTTP proxy that rejects duplicate or conflicting headers and enforces strict content‑length validation.
  • Monitor HTTP traffic for characteristics of request smuggling, such as duplicate transfer‑encoding or content‑length headers, and review logs for anomalous requests.
  • If a patch is not immediately available, isolate the BigFix SM service behind a reverse proxy that normalizes request formatting and blocks smuggling attempts.

Generated by OpenCVE AI on April 21, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech bigfix Service Management
Vendors & Products Hcltech
Hcltech bigfix Service Management

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking.
Title HCL BigFix Service Management (SM) is susceptible to HTTP Request Smuggling
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hcltech Bigfix Service Management
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-04-21T19:32:20.831Z

Reserved: 2025-04-01T18:46:19.517Z

Link: CVE-2025-31958

cve-icon Vulnrichment

Updated: 2026-04-21T19:32:09.931Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T15:16:35.440

Modified: 2026-04-22T16:01:26.110

Link: CVE-2025-31958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:31Z

Weaknesses