Description
HCL BigFix Platform is affected by insecure permissions on private cryptographic keys.  The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Key Access
Action: Apply Patch
AI Analysis

Impact

HCL BigFix Platform stores private cryptographic keys on Windows hosts with overly permissive file system permissions. This allows any local user or process with read access to the key files to obtain the keys, enabling the attacker to decrypt protected data, impersonate the system, or sign certificates. The vulnerability is a classic example of improper ACL configuration (CWE-276, CWE-732) and poses a direct threat to the confidentiality and integrity of the platform.

Affected Systems

The affected product is the HCLSoftware BigFix Platform. No specific version information is provided, so all deployments of the platform should be evaluated for the presence of this permission issue.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. EPSS information is not available, so the likelihood of exploitation cannot be quantified based on current data. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. The likely attack vector is a local user or a compromised process on the Windows host being able to read the key files; an attacker with remote access that can execute code on the host could also leverage the permissive permissions. This is inferred from the description of insecure permissions on private keys.

Generated by OpenCVE AI on April 2, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or update to the latest HCL BigFix Platform as provided in the support article.
  • Restrict file system permissions for the private key files so that only the required BigFix service accounts have read access.
  • Re‑verify the permissions on all Windows hosts after patching.
  • Schedule regular audits of key file permissions to ensure they remain correctly configured.

Generated by OpenCVE AI on April 2, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hcltech:bigfix_platform:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech bigfix Platform
Vendors & Products Hcltech
Hcltech bigfix Platform
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description HCL BigFix Platform is affected by insecure permissions on private cryptographic keys.  The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
Title HCL BigFix Platform is affected by insecure permissions on private cryptographic keys
Weaknesses CWE-276
CWE-732
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hcltech Bigfix Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-04-02T18:21:14.546Z

Reserved: 2026-01-05T16:07:58.367Z

Link: CVE-2026-21765

cve-icon Vulnrichment

Updated: 2026-04-02T18:21:10.798Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T00:16:23.953

Modified: 2026-04-16T16:07:39.550

Link: CVE-2026-21765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:15:53Z

Weaknesses