Description
HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Published: 2026-05-06
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files such as CSV, XLS, and XLSX before they are processed or distributed. When a malicious user populates specific data fields, the resulting CSV file could attempt the exfiltration of data or trigger other malicious activity when automatically executed by spreadsheet software. The CVSS score of 4.6 indicates a moderate level of severity, and the risk is primarily for confidential data leakage or local execution of spreadsheet content.

Affected Systems

All versions of HCL Software’s BigFix Service Management (SM) are potentially affected, as the CVE entry does not provide a narrower version scope. Users of this product should assume that any deployment that accepts spreadsheet uploads is impacted.

Risk and Exploitability

The CVSS rating reflects moderate impact; the EPSS score is not available, so the exploitation probability is not quantified, and the vulnerability is not listed in CISA’s KEV catalog. The typical attack requires an adversary to upload a malicious spreadsheet file to the system and a user to open that file, thereby triggering execution of the embedded content. The risk is largely confined to environments where spreadsheet files are processed automatically or opened by users who may not be aware of the untrusted content warning in current versions of Excel.

Generated by OpenCVE AI on May 6, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or disable the upload and processing of CSV, XLS, and XLSX files in BigFix SM until a vendor patch is available
  • Implement a separate sanitization or validation step that ensures spreadsheet files are free of malicious content before processing or distribution
  • Educate users to keep Excel’s untrusted‑content warnings enabled and to avoid automatically executing spreadsheet files received from the system

Generated by OpenCVE AI on May 6, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Title HCL BigFix Service Management (SM) does not adequately sanitize or safely render
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:47:34.200Z

Reserved: 2025-04-01T18:46:26.621Z

Link: CVE-2025-31978

cve-icon Vulnrichment

Updated: 2026-05-06T14:47:30.934Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T15:16:06.207

Modified: 2026-05-06T19:00:48.330

Link: CVE-2025-31978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses