CVE-2026-21765 identifies a critical security vulnerability in the HCL BigFix Platform, specifically versions 11.0.0 through 11.0.5, where private cryptographic keys stored on Windows host machines are assigned overly permissive file system permissions. This vulnerability falls under CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-276 (Incorrect Default Permissions). The private keys, which are essential for cryptographic operations and securing communications or authentication, are exposed to users with low-level privileges due to improper access control settings. This misconfiguration allows unauthorized local users to read or potentially manipulate these keys, leading to a compromise of confidentiality, integrity, and availability of the system. The CVSS v3.1 base score is 8.8, reflecting high severity, with an attack vector of local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. Although no exploits are currently known in the wild, the vulnerability represents a significant risk because private key compromise can enable attackers to impersonate the system, decrypt sensitive data, or disrupt operations. The vulnerability was reserved in early 2026 and published in April 2026, with no patch links currently available, emphasizing the need for immediate manual mitigation steps. Organizations using BigFix for endpoint management and security automation must urgently assess their systems for this misconfiguration and restrict file permissions to only trusted system accounts.

The impact of CVE-2026-21765 is substantial for organizations worldwide that deploy HCL BigFix Platform for endpoint management, patching, and security compliance. Unauthorized access to private cryptographic keys can lead to full system compromise, including unauthorized decryption of sensitive data, impersonation of the affected system, and disruption of security controls. This can result in data breaches, loss of trust, regulatory penalties, and operational downtime. Since BigFix is often used in large enterprises, government agencies, and critical infrastructure sectors, exploitation could facilitate lateral movement within networks, elevate privileges, and undermine the security posture of entire organizations. The requirement for local access with low privileges means that attackers or malicious insiders who gain limited access could escalate their control significantly. The absence of known exploits in the wild currently provides a window for remediation, but the high severity and critical nature of the keys involved make this a priority vulnerability to address.

1. Immediately audit file system permissions on all Windows hosts running affected BigFix versions to identify private cryptographic keys with overly permissive access. 2. Restrict permissions on private key files to the minimum necessary accounts, ideally only the BigFix service account and system administrators, removing read/write access from all other users. 3. Implement file integrity monitoring on cryptographic key files to detect unauthorized access or changes. 4. Enforce the principle of least privilege for all users and service accounts on affected systems to reduce the risk of local exploitation. 5. Monitor local user activities and logs for suspicious access attempts to cryptographic keys. 6. Stay in close contact with HCLSoftware for official patches or security advisories and apply updates promptly once available. 7. Consider isolating or segmenting BigFix management servers and critical endpoints to limit local access vectors. 8. Educate administrators and security teams about the risks of improper file permissions and the importance of securing cryptographic material. 9. If possible, rotate or regenerate cryptographic keys after remediation to invalidate any potentially compromised keys. 10. Incorporate this vulnerability into organizational risk assessments and incident response plans to ensure readiness.