Critical authentication bypass flaw in HCL BigFix WebUI allows SAML assertion manipulation
Take action: If you use HCL BigFix WebUI, ensure it's isolated from direct internet access and only accessible from trusted management networks. Plan a quick upgrade all BigFix WebUI site components to the patched versions listed by HCL to fix the critical CVE-2025-54419 authentication bypass flaw.
Learn More
HCL has patched a critical security vulnerability in BigFix WebUI, the management interface for its endpoint management platform.
This flaw is tracked as CVE-2025-54419 (CVSS score 10.0), affects the Node-SAML library used for SAML 2.0 authentication in Node.js applications. The vulnerability is caused by a design weakness in how Node-SAML version 5.0.1 and below processes SAML assertions. After verifying the digital signature on a SAML response, the library loads assertion data from the original, unsigned XML document instead from the cryptographically validated content. The flaw allows attackers to modify authentication details even after signature verification has been completed, effectively bypassing the security measures designed to ensure message integrity and authenticity.
To exploit this vulnerability, an attacker would need to obtain a validly signed SAML document from an Identity Provider (IdP), but no authentication or user interaction is required to carry out the attack. Once they have a document, the attacker can manipulate specific elements of the SAML assertion, including removing characters from the username field.
Users should upgrade the HCL BigFix WebUI to the following site version:
WebUI Site Name Version
- Application Administration 39
- Common 100
- Custom 49
- Insights 30
- Patch 53
- IVR 20
- Patch Policies 48
- Profile Management 32
- Query 43
- Software Distribution 53
- WebUI API 31
- WebUI Content App 27
- WebUI CMEP 21
- WebUI Data Sync 36
- WebUI Framework 33
- WebUI MDM 24
- WebUI Permissions and Preferences 26
- WebUI Reports 23
- WebUI Take Action 36
- WebUI SCM 19
- WebUI Extensions 13
