Bmc Bmc

  1. Vendors
  2. Bmc

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Bmc product.

RSS Feeds for Bmc security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Bmc products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Bmc Sorted by Most Security Vulnerabilities since 2018

Bmc Control M17 vulnerabilities

Bmc Track It9 vulnerabilities

Bmc Remedy Mid Tier7 vulnerabilities

Bmc Patrol Agent5 vulnerabilities

Bmc Patrol2 vulnerabilities

Bmc Remedy Smart Reporting2 vulnerabilities

Bmc Myit Digital Workplace1 vulnerability

Bmc Performance Manager1 vulnerability

Bmc Remedy Action Request System1 vulnerability

Bmc Remedy Action Request System Server1 vulnerability

Bmc Remedy It Service Management Suite1 vulnerability

Bmc Server Automation1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Bmc. Last year, in 2025 Bmc had 13 security vulnerabilities published. Right now, Bmc is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 13 7.28
2024 6 7.06
2023 6 8.95
2022 4 7.23
2021 4 0.00
2020 0 0.00
2019 8 7.05

It may take a day or so for new Bmc vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Bmc Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-55108 Nov 05, 2025
BMC Control-M/Agent RCE via Unauthenticated Mutual TLS The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE:  * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS
Control M
CVE-2025-55118 Sep 16, 2025
Control-M/Agent 9.x Memory Corruption via SSL/TLS config (use_openssl=n) Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n"
Control M
CVE-2025-55117 Sep 16, 2025
Control-M/Agent 9.0.20-9.0.22: Buffer Overflow via SSL/TLS Config A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".
Control M
CVE-2025-55116 Sep 16, 2025
Control-M/Agent buffer overflow (<=9.0.20) leads to LPE A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.
Control M
CVE-2025-55115 Sep 16, 2025
Control-M/Agent Local Privilege Escalation via Path Traversal 9.0.18-9.0.20 A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.
Control M
CVE-2025-55114 Sep 16, 2025
Control-M/Agent Auth-IP Validation & SSL/TLS Order CVE-2025-55114 The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.
Control M
CVE-2025-55113 Sep 16, 2025
Control-M/Agent 9.0.18-9.0.20 ACL Bypass via NULL byte in cert If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.
Control M
CVE-2025-55112 Sep 16, 2025
Control-M 9.0.18-20 Blowfish Hardcoded Key Decrypts Traffic Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.
Control M
CVE-2025-55111 Sep 16, 2025
Control-M/Agent 9.0.18–9.0.20 Permissive File Permissions Expose SSL Keys Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.
Control M
CVE-2025-55110 Sep 16, 2025
Control-M Agents Default Keystore PW Disclosure Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password.
Control M
CVE-2025-55109 Sep 16, 2025
Control-M/Agent 9.0.18-20 Auth Bypass via Empty kdb/PKCS#12 Keystores An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent. The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired. In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication.
Control M
CVE-2025-48709 Aug 07, 2025
BMC Control-M 9.0.21.300 dbu_connection_details.vbs Credential Exposure BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.
Control M
CVE-2024-34398 Mar 12, 2025
BMC Remedy Mid Tier 7.6 stored HTML Injection vuln in web app An issue was discovered in BMC Remedy Mid Tier 7.6.04. The web application allows stored HTML Injection by authenticated remote attackers.
Remedy Mid Tier
CVE-2024-34399 Sep 18, 2024
Unauthenticated Remote Access in BMC Remedy Mid Tier 7.6.04 **UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only.
Remedy Mid Tier
CVE-2021-35001 May 07, 2024
Track-It! GetData Missing Auth Disclosure BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetData endpoint. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-14527.
Track It
CVE-2021-35002 May 07, 2024
BMC Track-It! Unrestricted File Upload RCE in Email Attachment Processing BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of email attachments. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14122.
Track It
CVE-2024-1604 Mar 18, 2024
BMC ControlM 9.0.20/21 Report Mgmt Improper Auth Any Report Accessible Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.
Control M
CVE-2024-1605 Mar 18, 2024
ControlM DLL Load Vulnerability (9.0.20/21) Arbitrary DLL from RW Dir BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.
Control M
CVE-2024-1606 Mar 18, 2024
XSS via unsanitized input in BMC ControlM 9.0.20/9.0.21 web UI Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.
Control M
CVE-2020-35593 Sep 05, 2023
BMC PATROL Agent <20.08.00 LPE via pconfig +RESTART -host BMC PATROL Agent through 20.08.00 allows local privilege escalation via vectors involving pconfig +RESTART -host.
Patrol Agent
CVE-2017-9453 Sep 05, 2023
BMC SA <8.9.01 Patch1: Auth Bypass Enables ProcessSpawner Exec BMC Server Automation before 8.9.01 patch 1 allows Process Spawner command execution because of authentication bypass.
Server Automation
CVE-2023-39122 Jul 31, 2023
SQL Injection via deleteReport in BMC Control-M 9.0.20.200 BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200).
Control M
CVE-2023-34258 May 31, 2023
BMC Patrol 22.1.00 RCE via Agent Config Exposure An issue was discovered in BMC Patrol before 22.1.00. The agent's configuration can be remotely queried. This configuration contains the Patrol account password, encrypted with a default AES key. This account can then be used to achieve remote code execution.
Patrol
CVE-2023-34257 May 31, 2023
BMC Patrol 23.1.00 RCE via Agent Config without Auth An issue was discovered in BMC Patrol through 23.1.00. The agent's configuration can be remotely modified (and, by default, authentication is not required). Some configuration fields related to SNMP (e.g., masterAgentName or masterAgentStartLine) result in code execution when the agent is restarted. NOTE: the vendor's perspective is "These are not vulnerabilities for us as we have provided the option to implement the authentication."
Patrol
Patrol Agent
CVE-2023-26550 Feb 25, 2023
SQLi in BMC ControlM <9.0.20.214 via memname JSON A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.
Control M
CVE-2022-26088 Nov 10, 2022
BMC Remedy <22.1: Email To Field HTML Injection via Incident Forwarding An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."
Remedy It Service Management Suite
CVE-2022-35864 Aug 03, 2022
SQL Injection in BMC Track-It! 20.21.02.109 GetPopupSubQueryDetails Endpoint This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16690.
Track It
CVE-2022-35865 Aug 03, 2022
Remote Code Execution via Unauthenticated HTTP Request in BMC Track-It! 20.21.2.109 This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-16709.
Track It
CVE-2022-24047 Feb 18, 2022
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102 This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-14618.
Track It
CVE-2017-17675 May 19, 2021
BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. Remote logging can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include user names and HTTP data.
Remedy Mid Tier
CVE-2017-17677 May 19, 2021
BMC Remedy 9.1SP3 is affected by authenticated code execution BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.
Remedy Mid Tier
CVE-2017-17678 May 19, 2021
BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS) BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). A DOM-based cross-site scripting vulnerability was discovered in a legacy utility.
Remedy Mid Tier
CVE-2017-17674 May 19, 2021
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).
Remedy Mid Tier
CVE-2019-11216 Dec 04, 2019
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
Remedy Smart Reporting
CVE-2019-17043 Oct 14, 2019
An issue was discovered in BMC Patrol Agent 9.0.10i An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution permissions on the best1collect.exe SUID binary could allow an attacker to elevate his/her privileges to the ones of the "patrol" user by specially crafting a shared library .so file that will be loaded during execution.
Patrol Agent
CVE-2019-16755 Sep 26, 2019
BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability.
Myit Digital Workplace
CVE-2019-1010147 Jul 26, 2019
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
Remedy Smart Reporting
CVE-2019-8352 May 20, 2019
By default By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network.
Patrol Agent
CVE-2018-18862 Mar 21, 2019
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/.
Remedy Action Request System
Remedy Mid Tier
CVE-2018-20735 Jan 17, 2019
An issue was discovered in BMC PATROL Agent through 11.3.01 An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration
Patrol Agent
CVE-2018-19505 Jan 03, 2019
Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user context in certain impersonation scenarios, which can Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user, because userdata.js in the WOI:WorkOrderConsole component allows a username substitution involving a UserData_Init call.
Remedy Action Request System Server
CVE-2014-8270 Dec 12, 2014
BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.
Track It
CVE-2014-4874 Oct 10, 2014
BMC Track-It! 11.3.0.355 BMC Track-It! 11.3.0.355 allows remote authenticated users to read arbitrary files by visiting the TrackItWeb/Attachment page.
Track It
CVE-2014-4873 Oct 10, 2014
SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It! 11.3.0.355 SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It! 11.3.0.355 allows remote authenticated users to execute arbitrary SQL commands via crafted POST data.
Track It
CVE-2014-4872 Oct 10, 2014
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
Track It
CVE-2007-1972 Apr 22, 2007
PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which allows remote attackers to execute arbitrary code via a request on TCP port 3181 for modification of the masterAgentName and masterAgentStartLine SNMP parameters. NOTE: the vendor disputes this vulnerability, stating that it does not exist when the system is properly configured
Performance Manager
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.