PatchSiren

HCL Software CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW HCL Software CVE published 2026-06-17

CVE-2025-62340

A low-severity vulnerability, CVE-2025-62340, was discovered in HCL iControl, related to inadequate session timeout. This issue involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity. The vulnerability has a CVSS score of 3.1 and is considered low severity. The CVE was published on 2026-06-17T13:19:15.840Z and last modified on 2026-06-1 [truncated]

MEDIUM HCL Software CVE published 2026-06-17

CVE-2025-59872

HCL ZIE for Web is affected by an Unrestricted File Upload vulnerability. If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be c [truncated]

MEDIUM HCL Software CVE published 2026-05-09

CVE-2025-15634

CVE-2025-15634 describes a missing authorization flaw in HCL BigFix WebUI. An authenticated user without the proper permissions may be able to reach an unauthorized page directly by URL and view sensitive environmental information. The issue is rated medium severity and maps to CWE-862 (missing authorization).

MEDIUM HCL Software CVE published 2026-05-06

CVE-2025-31978

CVE-2025-31978 is a medium-severity vulnerability (CVSS Score: 4.6) affecting HCL BigFix Service Management. The issue lies in the inadequate sanitization or safe rendering of spreadsheet files (CSV, XLS, XLSX) before processing or distribution. An attacker could exploit this by populating data fields in a way that, when saved to a CSV file, may attempt information exfiltration or other malicious activiti [truncated]

MEDIUM HCL Software CVE published 2026-05-06

CVE-2025-31976

HCL BigFix Service Management (SM) has a vulnerability that involves insufficiently protected credentials for a short duration while communicating with a backend, internal application. This could potentially allow an attacker to misuse the credentials if they are exfiltrated. The vulnerability has a CVSS score of 4.8 and is classified as medium severity. The CVE was published on May 6, 2026, and last modi [truncated]