CVE-2025-52602
📋 TL;DR
HCL BigFix Query WebUI has an information disclosure vulnerability where HTTP GET requests can expose group names and active user IDs. This affects organizations using HCL BigFix Query for endpoint management. Attackers can leverage this information for targeted phishing or social engineering attacks.
💻 Affected Systems
- HCL BigFix Query
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain complete user/group directory information, enabling highly targeted spear-phishing campaigns that could lead to credential theft, malware installation, or lateral movement within the network.
Likely Case
Attackers gather partial user/group information to craft convincing phishing emails targeting IT administrators or privileged users.
If Mitigated
Information exposure is limited to non-sensitive data or access is blocked by network controls, reducing attack surface for social engineering.
🎯 Exploit Status
Simple HTTP GET requests to specific endpoints can trigger the disclosure. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.4
Vendor Advisory: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124950
Restart Required: Yes
Instructions:
1. Download HCL BigFix Query version 11.0.4 from HCL support portal. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart BigFix services. 5. Verify WebUI functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to BigFix Query WebUI endpoints using firewall rules or network segmentation.
Web Server Configuration
allConfigure web server to block or restrict the vulnerable HTTP GET endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BigFix Query WebUI from untrusted networks
- Deploy web application firewall (WAF) rules to block requests to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET requests to BigFix Query WebUI endpoints and check if responses contain group names or user IDs.Check Version:
Check BigFix Query version via administrative console or version file in installation directoryVerify Fix Applied:
After patching, test the same endpoints to confirm they no longer return sensitive information.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of HTTP GET requests to WebUI endpoints
- Requests from unexpected IP addresses to sensitive endpoints
Network Indicators:
- HTTP traffic patterns targeting specific WebUI query endpoints
- Information disclosure in HTTP responses
SIEM Query:
source="bigfix_webui" AND (http_method="GET" AND uri_path CONTAINS "/query/") AND status_code=200