Skip to main content

BMC Control-M CVE-2026-23780

| EUVDEUVD-2026-21370 HIGH
SQL Injection (CWE-89)
2026-04-10 mitre GHSA-wc24-xjh6-92j4
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:23 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 10, 2026 - 14:45 euvd
EUVD-2026-21370
CVE Published
Apr 10, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.

AnalysisAI

SQL injection in BMC Control-M/MFT 9.0.20-9.0.22 debug API enables authenticated attackers to execute arbitrary SQL queries, leading to file system access and potential remote code execution. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring low-privilege authentication. EPSS score of 0.04% (13th percentile) indicates minimal current exploitation probability, and no public exploit identified at time of analysis. Patch PAAFP-9-0-22-025 addresses the vulnerability.

Technical ContextAI

BMC Control-M/MFT (Managed File Transfer) is an enterprise automation platform for orchestrating file transfers across heterogeneous environments. The vulnerability (CWE-89: SQL Injection) resides in the MFT API's debug interface, where user-supplied input is incorporated into dynamically constructed SQL queries without proper sanitization or parameterized statement usage. This architectural flaw allows attackers to manipulate SQL syntax, breaking out of intended query logic to execute arbitrary database commands. The debug interface component exposes sensitive database operations that, in Control-M/MFT's architecture, can interact with file system operations and potentially command execution functions. The affected versions 9.0.20 through 9.0.22 share this unsafe dynamic SQL handling pattern in their API layer.

RemediationAI

Apply BMC patch PAAFP-9-0-22-025, available via the vendor's patch management portal at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/. Organizations should upgrade affected 9.0.20-9.0.22 installations to the patched 9.0.22 build incorporating this fix. As an interim compensating control, if patching cannot be immediately deployed, disable or restrict network access to the MFT API debug interface and review authentication mechanisms to ensure least-privilege access for API credentials. Monitor database and API logs for anomalous SQL query patterns or unexpected file system operations. Consult BMC's support resources at https://www.bmc.com/support/resources/issue-defect-management.html for deployment guidance and validation procedures.

Share

CVE-2026-23780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy