CVE-2025-31951
Published: 06 May 2026
Description
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs to prevent unvalidated command input vulnerabilities like command injection and smuggling in HCL BigFix RunBookAI.
Mandates timely flaw remediation, directly addressing the specific input handling defect permitting unauthorized command execution as detailed in the HCL advisory.
Enforces least privilege to restrict the scope and impact of unauthorized commands executed by low-privilege users exploiting the vulnerability.
Security SummaryAI
CVE-2025-31951 is a Unvalidated Command Input / Potential Command Smuggling vulnerability affecting HCL BigFix RunBookAI. A flaw in a component's input handling was identified that could permit unauthorized command execution. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77, CWE-351, and CWE-451.
The vulnerability can be exploited remotely over the network with low complexity by authenticated users possessing low privileges, without requiring user interaction. Successful exploitation enables attackers to execute unauthorized commands, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444.
Details
- CWE(s)