Bmc Control M

BMC Control-M/Agent RCE via Unauthenticated Mutual TLS
CVE-2025-55108 10 - Critical - November 05, 2025

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE:  * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS

Missing Authentication for Critical Function

Control-M/Agent 9.x Memory Corruption via SSL/TLS config (use_openssl=n)
CVE-2025-55118 8.9 - High - September 16, 2025

Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n"

Heap-based Buffer Overflow

Control-M/Agent 9.0.20-9.0.22: Buffer Overflow via SSL/TLS Config
CVE-2025-55117 5.3 - Medium - September 16, 2025

A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".

Stack Overflow

Control-M/Agent buffer overflow (<=9.0.20) leads to LPE
CVE-2025-55116 8.8 - High - September 16, 2025

A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.

Stack Overflow

Control-M/Agent Local Privilege Escalation via Path Traversal 9.0.18-9.0.20
CVE-2025-55115 8.8 - High - September 16, 2025

A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.

Relative Path Traversal

Control-M/Agent Auth-IP Validation & SSL/TLS Order CVE-2025-55114
CVE-2025-55114 5.3 - Medium - September 16, 2025

The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.

Incorrect Behavior Order

Control-M/Agent 9.0.18-9.0.20 ACL Bypass via NULL byte in cert
CVE-2025-55113 9 - Critical - September 16, 2025

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.

Improper Neutralization of Null Byte or NUL Character

Control-M 9.0.18-20 Blowfish Hardcoded Key Decrypts Traffic
CVE-2025-55112 7.4 - High - September 16, 2025

Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.

Use of Hard-coded Cryptographic Key

Control-M/Agent 9.0.18–9.0.20 Permissive File Permissions Expose SSL Keys
CVE-2025-55111 5.5 - Medium - September 16, 2025

Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.

Incorrect Default Permissions

Control-M Agents Default Keystore PW Disclosure
CVE-2025-55110 5.5 - Medium - September 16, 2025

Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password.

1392

Control-M/Agent 9.0.18-20 Auth Bypass via Empty kdb/PKCS#12 Keystores
CVE-2025-55109 9 - Critical - September 16, 2025

An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent. The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired. In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication.

Improper Certificate Validation

BMC Control-M 9.0.21.300 dbu_connection_details.vbs Credential Exposure
CVE-2025-48709 3.8 - Low - August 07, 2025

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

Insertion of Sensitive Information into Log File

BMC ControlM 9.0.20/21 Report Mgmt Improper Auth Any Report Accessible
CVE-2024-1604 6.8 - Medium - March 18, 2024

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Insecure Direct Object Reference / IDOR

ControlM DLL Load Vulnerability (9.0.20/21) Arbitrary DLL from RW Dir
CVE-2024-1605 7.8 - High - March 18, 2024

BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Incorrect Default Permissions

XSS via unsanitized input in BMC ControlM 9.0.20/9.0.21 web UI
CVE-2024-1606 5.4 - Medium - March 18, 2024

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.

SQL Injection via deleteReport in BMC Control-M 9.0.20.200
CVE-2023-39122 9.8 - Critical - July 31, 2023

BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200).

SQL Injection

SQLi in BMC ControlM <9.0.20.214 via memname JSON
CVE-2023-26550 9.8 - Critical - February 25, 2023

A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.

SQL Injection