Search criteria

3 vulnerabilities found for Control-M/Server by BMC

CVE-2026-10538 (GCVE-0-2026-10538)

Vulnerability from cvelistv5 – Published: 2026-07-01 07:56 – Updated: 2026-07-01 12:24
VLAI?
Title
Improper deserialization handling in Control-M Components
Summary
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
CWE
  • CWE-502 - Deserialization of untrusted data
Assigner
Impacted products
Vendor Product Version
BMC Control-M/Enterprise Manager Unaffected: 9.0.21 (semver)
Affected: 9.0.20 , < 9.0.21 (semver)
Create a notification for this product.
    BMC Control-M/Server Unaffected: 9.0.21 (semver)
Affected: 9.0.20 , < 9.0.21 (semver)
Create a notification for this product.
Credits
Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10538",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T12:23:03.498555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T12:24:04.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Control-M/Enterprise Manager",
          "vendor": "BMC",
          "versions": [
            {
              "status": "unaffected",
              "version": "9.0.21",
              "versionType": "semver"
            },
            {
              "lessThan": "9.0.21",
              "status": "affected",
              "version": "9.0.20",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control-M/Server",
          "vendor": "BMC",
          "versions": [
            {
              "status": "unaffected",
              "version": "9.0.21",
              "versionType": "semver"
            },
            {
              "lessThan": "9.0.21",
              "status": "affected",
              "version": "9.0.20",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - \u003cvuln@airbus.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - \u003cvuln@airbus.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eMessaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.\u003c/div\u003e"
            }
          ],
          "value": "Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of untrusted data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T07:56:31.099Z",
        "orgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
        "shortName": "airbus"
      },
      "references": [
        {
          "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFKrCAO\u0026type=Solution"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper deserialization handling in Control-M Components",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
    "assignerShortName": "airbus",
    "cveId": "CVE-2026-10538",
    "datePublished": "2026-07-01T07:56:31.099Z",
    "dateReserved": "2026-06-01T12:16:09.689Z",
    "dateUpdated": "2026-07-01T12:24:04.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-10539 (GCVE-0-2026-10539)

Vulnerability from cvelistv5 – Published: 2026-07-01 07:55 – Updated: 2026-07-01 12:29
VLAI?
Title
Unauthenticated command injection in Control-M/Server communication command
Summary
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
CWE
  • CWE-305 - Authentication bypass by primary weakness
Assigner
Impacted products
Vendor Product Version
BMC Control-M/Server Unaffected: 9.0.21.300 (semver)
Affected: 9.0.20 , ≤ 9.0.21.200 (semver)
Create a notification for this product.
Credits
Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T12:25:47.650975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T12:29:09.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Control-M/Server",
          "vendor": "BMC",
          "versions": [
            {
              "status": "unaffected",
              "version": "9.0.21.300",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.21.200",
              "status": "affected",
              "version": "9.0.20",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - \u003cvuln@airbus.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - \u003cvuln@airbus.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.\u003c/p\u003e"
            }
          ],
          "value": "A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.\u00a0\n\n\n\nThis vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-305",
              "description": "CWE-305 Authentication bypass by primary weakness",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T07:55:00.615Z",
        "orgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
        "shortName": "airbus"
      },
      "references": [
        {
          "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFZNCA4\u0026type=Solution"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unauthenticated command injection in Control-M/Server communication command",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
    "assignerShortName": "airbus",
    "cveId": "CVE-2026-10539",
    "datePublished": "2026-07-01T07:55:00.615Z",
    "dateReserved": "2026-06-01T12:16:11.016Z",
    "dateUpdated": "2026-07-01T12:29:09.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-48709 (GCVE-0-2025-48709)

Vulnerability from cvelistv5 – Published: 2025-08-07 00:00 – Updated: 2025-12-01 21:57
VLAI?
Title
BMC Control-M/Server cleartext database credentials in process lists and logs
Summary
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
  • CWE-214 - Invocation of Process Using Visible Sensitive Information
Assigner
Impacted products
Vendor Product Version
BMC Control-M/Server Affected: 9.0.21.300 , < PACTV.9.0.21.307 (custom)
Unaffected: PACTV.9.0.21.307
Create a notification for this product.
Credits
Derrick Polakoff
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "control-m",
            "vendor": "bmc",
            "versions": [
              {
                "lessThan": "9.0.21.300 PACTV.9.0.21.307",
                "status": "affected",
                "version": "9.0.21.300",
                "versionType": "custom"
              },
              {
                "status": "unaffected",
                "version": "PACTV.9.0.21.307"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48709",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-27T15:23:04.978628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-01T21:57:06.906Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Control-M/Server",
          "vendor": "BMC",
          "versions": [
            {
              "lessThan": "PACTV.9.0.21.307",
              "status": "affected",
              "version": "9.0.21.300",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "PACTV.9.0.21.307"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Derrick Polakoff"
        }
      ],
      "datePublic": "2025-08-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "other": {
            "content": {
              "id": "CVE-2025-48709",
              "options": [
                {
                  "Exploitation": "poc"
                },
                {
                  "Automatable": "no"
                },
                {
                  "Technical Impact": "partial"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2025-10-02T16:23:53.246063Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-214",
              "description": "CWE-214 Invocation of Process Using Visible Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T21:20:49.549Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/"
        }
      ],
      "title": "BMC Control-M/Server cleartext database credentials in process lists and logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48709",
    "datePublished": "2025-08-07T00:00:00.000Z",
    "dateReserved": "2025-05-23T00:00:00.000Z",
    "dateUpdated": "2025-12-01T21:57:06.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}