HCL: Security vulnerabilities in BigFix, DevOps and more products
HCL warns of security vulnerabilities, some of which are critical. Updates are available for BigFix, DevOps, Traveler and Connections.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
HCL Software is now providing updates to plug security gaps in HCL BigFix, DevOps, Traveler, and Connections. Some gaps are considered critical. IT managers should apply the updates quickly.
HCL BigFix WebUI, i.e., the management interface for BigFix, has been hit the hardest. Several vulnerabilities are in the open-source components used in it, one of which in canvg 4.0.2 is classified as critical (CVE-2025-25977, CVSS 9.8) and two in xml-crypto (CVE-2025-29774, CVE-2025-29775, both CVSS 9.3).
HCL: High-risk security vulnerabilities
In BigFix Server Automation, an open-source module is also responsible for opening a vulnerability, in this case it is axios, an HTTP client for the browser and node.js. A potential server-side request forgery (SSRF) in it jeopardizes the security of the system (CVE-2025-27152, CVSS 7.7, risk “high”).
Videos by heise
The other vulnerabilities have received slightly lower risk ratings, but still represent a potential gateway for malicious actors. Admins should therefore check the security notifications from HCL to see whether they are using the vulnerable software, and then download and install the available updates.
The vulnerabilities are listed in descending order of severity:
- HCL BigFix WebUI is affected by multiple open-source vulnerabilities, multiple CVEs, max CVSS 9.8, risk “critical”
- HCL BigFix Server Automation (SA) affected by an open-source security vulnerability, CVE-2025-27152, CVSS 7.7, risk “high”
- HCL DevOps Deploy / HCL Launch is susceptible to unauthorized access to other services, CVE-2025-0257, CVSS 6.3, risk “medium”
- HCL DevOps Deploy / HCL Launch is susceptible to an HTML injection vulnerability, CVE-2025-0272, CVSS 5.4, risk “medium”
- HCL Traveler is affected by generation of error messages containing sensitive information, CVE-2025-0279, CVSS 4.3, risk “medium”
- An internal path disclosure vulnerability affects HCL Traveler, CVE-2025-0278, CVSS 4.3, risk “medium”
- HCL Connections Security Update for Information Disclosure Vulnerability, CVE-2024-42208, CVSS 3.5, risk “medium”
In February, HCL had to fix and redistribute a patch for HCL BigFix Server Automation. The first attempt to secure it was incorrect.
(dmk)
