CVE-2026-21765
Received Received - Intake
Insecure Private Key Permissions in HCL BigFix Platform

Publication date: 2026-04-02

Last updated on: 2026-04-16

Assigner: HCL Software

Description
HCL BigFix Platform is affected by insecure permissions on private cryptographic keys.Β  The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21765
EUVD
EUVD-2026-18095
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hcltech bigfix_platform From 11.0.0 (inc) to 11.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the HCL BigFix Platform involves insecure permissions on private cryptographic keys stored on a Windows host machine. Specifically, the private keys have overly permissive file system permissions, which means unauthorized users with access to the system might be able to read or use these sensitive keys.

Impact Analysis

The impact of this vulnerability is significant as it can lead to a complete compromise of confidentiality, integrity, and availability. An attacker with access to the private cryptographic keys could decrypt sensitive data, impersonate legitimate users or services, and disrupt system operations.

Detection Guidance

This vulnerability involves insecure permissions on private cryptographic keys located on a Windows host machine. To detect this issue, you should check the file system permissions of the private key files used by the HCL BigFix Platform.

On a Windows system, you can use PowerShell commands to inspect the permissions of the private key files. For example, use the Get-Acl cmdlet to view the Access Control List (ACL) of the key files.

  • Identify the location of the private cryptographic key files used by HCL BigFix Platform.
  • Run the command: Get-Acl -Path "<path_to_private_key_file>" | Format-List
  • Review the output for overly permissive permissions, such as 'Everyone' or 'Users' having full control or write access.
Mitigation Strategies

To mitigate this vulnerability, you should immediately restrict the file system permissions on the private cryptographic key files to ensure that only authorized users and system processes have access.

  • Locate the private key files used by the HCL BigFix Platform on the Windows host.
  • Modify the permissions to remove any overly permissive access, such as 'Everyone' or 'Users' groups having write or full control.
  • Use the icacls command to set restrictive permissions, for example: icacls "<path_to_private_key_file>" /inheritance:r /grant:r SYSTEM:F /grant:r Administrators:F

Additionally, monitor for any updates or patches from HCL that address this issue and apply them as soon as they become available.

Compliance Impact

The vulnerability involves insecure permissions on private cryptographic keys in the HCL BigFix Platform, which could lead to unauthorized access to sensitive data.

Such unauthorized access risks violating data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over sensitive data and cryptographic key management.

Therefore, this vulnerability could negatively impact compliance by exposing sensitive information due to overly permissive file system permissions on private keys.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21765. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart