{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15633", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2026-04-14T05:56:25.354Z", "datePublished": "2026-05-09T04:58:55.241Z", "dateUpdated": "2026-05-11T17:30:11.814Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-05-09T04:58:55.241Z"}, "title": "HCL BigFix WebUI is affected by an improper authorization vulnerability", "datePublic": "2026-05-09T03:56:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "HCLSoftware", "product": "BigFix WebUI", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator\u00a0privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator&nbsp;privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.</p>"}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-11T17:29:56.867689Z", "id": "CVE-2025-15633", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T17:30:11.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-11T17:29:56.867689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T17:30:01.186Z"}}], "cna": {"title": "HCL BigFix WebUI is affected by an improper authorization vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCLSoftware", "product": "BigFix WebUI", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "datePublic": "2026-05-09T03:56:00.000Z", "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator\u00a0privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.", "supportingMedia": [{"type": "text/html", "value": "<p>An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator&nbsp;privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-05-09T04:58:55.241Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15633", "state": "PUBLISHED", "dateUpdated": "2026-05-11T17:30:11.814Z", "dateReserved": "2026-04-14T05:56:25.354Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-05-09T04:58:55.241Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:bigfix_webui_api:*:*:*:*:*:*:*:*", "matchCriteriaId": "8680650F-B404-4812-AD8D-F93A7F52C20B", "versionEndExcluding": "33", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_application_administration:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8757E08-9B05-45FD-BEAC-7D27423C7FC4", "versionEndExcluding": "40", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_cmep:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD60E500-25B7-42B4-8B0E-D84967B78AF4", "versionEndExcluding": "22", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_common:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6441EA2-8CF7-4A3B-8AD8-BBE2A62E5DF4", "versionEndExcluding": "101", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_content_app:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFE1EED8-C5C9-47CD-B20E-E5D113B4DF48", "versionEndExcluding": "28", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_custom:*:*:*:*:*:*:*:*", "matchCriteriaId": "92437F31-8DD7-4440-AF6A-02B5DDA55A3F", "versionEndExcluding": "50", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_data_sync:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F3C0E3C-1CE1-43FC-9B4C-8D0EE77E3E10", "versionEndExcluding": "37", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_extensions:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F22F7CB-24CC-445F-87D9-CB0B4346401E", "versionEndExcluding": "14", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7C2A16C-A840-47FF-9272-A17BD4CD7499", "versionEndExcluding": "35", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_insights:*:*:*:*:*:*:*:*", "matchCriteriaId": "97643BD1-2CE5-43A4-86C9-C25EE643E977", "versionEndExcluding": "32", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_ivr:*:*:*:*:*:*:*:*", "matchCriteriaId": "58DA2A15-7F8A-4D04-A158-18CBB803BF8C", "versionEndExcluding": "23", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_mdm:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1287A97-8E7A-4B5F-BE14-2D871BD2E886", "versionEndExcluding": "29", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_patch:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CA0410D-FC23-4F02-B460-3AAF36534B35", "versionEndExcluding": "54", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_patch_policies:*:*:*:*:*:*:*:*", "matchCriteriaId": "99FC5DA2-E98F-4EE7-ABC1-9CAE3141DE63", "versionEndExcluding": "51", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_permissions_and_preferences:*:*:*:*:*:*:*:*", "matchCriteriaId": "14A1AC9F-42FA-4CEA-9198-78F902069EB5", "versionEndExcluding": "27", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_profile_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EC90454-5ACF-437A-98E5-4FA331436BAB", "versionEndExcluding": "33", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_query:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9399A9A-9034-45E1-848A-96618F90AE9A", "versionEndExcluding": "45", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_reports:*:*:*:*:*:*:*:*", "matchCriteriaId": "76DCC419-4FDB-4863-847D-346BF4EC3458", "versionEndExcluding": "24", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_scm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AF61FBA-D9FA-4D8F-9C63-BDB7266281E3", "versionEndExcluding": "20", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_software_distribution:*:*:*:*:*:*:*:*", "matchCriteriaId": "78E47D3B-035E-4B5A-90FB-B15262EE93F0", "versionEndExcluding": "54", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_webui_take_action:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E08C0D1-A177-40F8-B5E0-EA14D66B38FC", "versionEndExcluding": "37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator\u00a0privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers."}], "id": "CVE-2025-15633", "lastModified": "2026-05-14T20:28:21.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2026-05-09T06:16:07.413", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}