CVE-2026-21785 HCLSoftware CVE debrief

Who should care

Organizations running HCL BigFix Remote Control Server WebUI version 10.1.0.0442 or earlier, particularly those with administrative interfaces exposed to network access. Security teams responsible for web application security and CSP configuration management should prioritize review.

Technical summary

The HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier contain a Content Security Policy misconfiguration where directives lack proper fallback definitions. This allows attackers with high privileges and user interaction to bypass security restrictions and load unauthorized resources. The vulnerability requires network access and high attack complexity, with potential for low-impact confidentiality and integrity breaches through scope-changed attacks.

Defensive priority

medium

Recommended defensive actions

• Review and update Content Security Policy configurations in HCL BigFix Remote Control Server WebUI to ensure all directives include appropriate fallback mechanisms
• Upgrade to a version newer than 10.1.0.0442 when available per vendor guidance
• Audit CSP headers for missing default-src or other fallback directives that could allow unauthorized resource loading
• Monitor for anomalous resource loading attempts in WebUI access logs
• Apply principle of least privilege for administrative access to reduce attack surface given high privilege requirements

Evidence notes

CVE description confirms CSP misconfiguration in HCL BigFix Remote Control Server WebUI ≤10.1.0.0442. CVSS 3.1 vector: AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N. CWE-1021 identified. Vendor attribution based on reference domain candidate 'HCL Software' with low confidence requiring review.

Official resources