Which versions of Windows are affected by CVE-2025-48709?

CVE-2025-48709 presents moderate security risk rated CVSS 4.8. Exploitation could compromise the security of affected deployments.

How to fix or mitigate CVE-2025-48709?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Monitor vendor channels for patch availability.

Windows CVE-2025-48709

Q: What is the CVSS score of CVE-2025-48709?

CVE-2025-48709 has a CVSS 4.0 base score of 4.8 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Invocation of Process Using Visible Sensitive Information (CWE-214)

2025-08-07 9119a7d8-5eab-497f-8521-727c672e3725

Windows Information Disclosure Microsoft Control M Server

4.8

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:05 vuln.today

CVE Published

Aug 07, 2025 - 20:15 nvd

MEDIUM 4.8

DescriptionNVD

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

AnalysisAI

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-214. BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307. Affected products include: Bmc Control-M\/Server.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.