CVE-2026-21765
Insecure Private Key Permissions in HCL BigFix Platform
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcltech | bigfix_platform | From 11.0.0 (inc) to 11.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the HCL BigFix Platform involves insecure permissions on private cryptographic keys stored on a Windows host machine. Specifically, the private keys have overly permissive file system permissions, which means unauthorized users with access to the system might be able to read or use these sensitive keys.
How can this vulnerability impact me? :
The impact of this vulnerability is significant as it can lead to a complete compromise of confidentiality, integrity, and availability. An attacker with access to the private cryptographic keys could decrypt sensitive data, impersonate legitimate users or services, and disrupt system operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure permissions on private cryptographic keys located on a Windows host machine. To detect this issue, you should check the file system permissions of the private key files used by the HCL BigFix Platform.
On a Windows system, you can use PowerShell commands to inspect the permissions of the private key files. For example, use the Get-Acl cmdlet to view the Access Control List (ACL) of the key files.
- Identify the location of the private cryptographic key files used by HCL BigFix Platform.
- Run the command: Get-Acl -Path "<path_to_private_key_file>" | Format-List
- Review the output for overly permissive permissions, such as 'Everyone' or 'Users' having full control or write access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately restrict the file system permissions on the private cryptographic key files to ensure that only authorized users and system processes have access.
- Locate the private key files used by the HCL BigFix Platform on the Windows host.
- Modify the permissions to remove any overly permissive access, such as 'Everyone' or 'Users' groups having write or full control.
- Use the icacls command to set restrictive permissions, for example: icacls "<path_to_private_key_file>" /inheritance:r /grant:r SYSTEM:F /grant:r Administrators:F
Additionally, monitor for any updates or patches from HCL that address this issue and apply them as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves insecure permissions on private cryptographic keys in the HCL BigFix Platform, which could lead to unauthorized access to sensitive data.
Such unauthorized access risks violating data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over sensitive data and cryptographic key management.
Therefore, this vulnerability could negatively impact compliance by exposing sensitive information due to overly permissive file system permissions on private keys.