Description
HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.
Published: 2026-05-06
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Exposed hidden directories in HCL BigFix Service Management allow unauthorized users to retrieve files that were not meant to be publicly accessible. The vulnerability arises because the application does not restrict direct URL access to certain directories, leading to a confidentiality breach. An attacker who can guess or enumerate the directory paths could read configuration files, logs, or other sensitive data stored there, potentially aiding further compromise.

Affected Systems

Systems running HCL Software's BigFix Service Management (SM) are affected. The scan was performed on the generic product without specific version information, so any deployment of the product should be examined. No particular version range was listed in the CNA data.

Risk and Exploitability

The CVSS score of 3.7 indicates a low‑to‑moderate risk. EPSS data is unavailable, and the vulnerability is not listed in CISA's KEV catalog, suggesting no widespread exploitation is documented. The likely attack vector is remote HTTP access to non‑linked directories, which may require the attacker to discover the correct URL paths. No authentication is required if the directories are directly accessible; thus, the risk is primarily exposure of sensitive information to anyone who can reach the web server.

Generated by OpenCVE AI on May 6, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied updates or patches released after the vulnerability was disclosed.
  • Update the web server configuration to deny HTTP access to directories that are not intended for public exposure, using access control mechanisms such as .htaccess rules or server‑side deny directives.
  • Perform a thorough audit of the deployed file system to identify any remaining hidden directories and confirm that they are properly protected or removed.
  • Enable logging for all attempted access to these directories and regularly review logs for suspicious activity.

Generated by OpenCVE AI on May 6, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.
Title HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directl
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:48:15.530Z

Reserved: 2025-04-01T18:46:33.655Z

Link: CVE-2025-31982

cve-icon Vulnrichment

Updated: 2026-05-06T14:48:12.735Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T15:16:06.320

Modified: 2026-05-06T19:00:48.330

Link: CVE-2025-31982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses