Home

Description

Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.

PUBLISHED Reserved 2025-08-07 | Published 2025-09-16 | Updated 2025-09-17 | Assigner airbus




HIGH: 7.6CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Product status

Default status
affected

9.0.21 (semver)
unaffected

9.0.20 (semver)
affected

9.0.19 (semver)
affected

9.0.18 (semver)
affected

Credits

Airbus SAS - Jean-Romain Garnier - seclab@airbus.com finder

References

bmcapps.my.site.com/.../sc_KnowledgeArticle?sfdcid=000442099 vendor-advisory

bmcapps.my.site.com/.../sc_KnowledgeArticle?sfdcid=000441966 mitigation

cve.org (CVE-2025-55112)

nvd.nist.gov (CVE-2025-55112)

Download JSON