Home

Description

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent.

PUBLISHED Reserved 2025-08-07 | Published 2025-11-05 | Updated 2025-11-06 | Assigner airbus




CRITICAL: 9.5CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
affected

9.0.22 (semver)
affected

9.0.21 (semver)
affected

9.0.20 (semver)
affected

9.0.19 (semver)
affected

9.0.18 (semver)
affected

Credits

Airbus SAS - Jean-Romain Garnier - seclab@airbus.com finder

References

bmcapps.my.site.com/.../sc_KnowledgeArticle?sfdcid=000442099 vendor-advisory

bmcapps.my.site.com/.../sc_KnowledgeArticle?sfdcid=000441962 mitigation

bmcapps.my.site.com/.../sc_KnowledgeArticle?sfdcid=000442271 mitigation

cve.org (CVE-2025-55108)

nvd.nist.gov (CVE-2025-55108)

Download JSON