10

CVE-2025-55108

BMC Control-M/Agent default configuration does not enforce SSL/TLS allowing unauthorized actions and remote code execution

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration).


NOTE: 

  *  The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent.

  *  The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerBMC
Produkt Control-M/Agent
Default Statusaffected
Version 9.0.22
Status affected
Version 9.0.21
Status affected
Version 9.0.20
Status affected
Version 9.0.19
Status affected
Version 9.0.18
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.72% 0.491
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cert@airbus.com 9.5 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cert@airbus.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271