CVE-2025-31962 LOW

CVE-2025-31962: HCL BigFix IVR is impacted by an insufficient session expiration vulnerability

Vendor Hclsoftware
Product BigFix IVR
Weakness CWE-613 · Insufficient session expiration
Published January 7, 2026
Last update January 7, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
January 7, 2026 Record updated