Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
AnalysisAI
SQL injection in BMC Control-M/MFT 9.0.20-9.0.22 debug API enables authenticated attackers to execute arbitrary SQL queries, leading to file system access and potential remote code execution. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring low-privilege authentication. EPSS score of 0.04% (13th percentile) indicates minimal current exploitation probability, and no public exploit identified at time of analysis. Patch PAAFP-9-0-22-025 addresses the vulnerability.
Technical ContextAI
BMC Control-M/MFT (Managed File Transfer) is an enterprise automation platform for orchestrating file transfers across heterogeneous environments. The vulnerability (CWE-89: SQL Injection) resides in the MFT API's debug interface, where user-supplied input is incorporated into dynamically constructed SQL queries without proper sanitization or parameterized statement usage. This architectural flaw allows attackers to manipulate SQL syntax, breaking out of intended query logic to execute arbitrary database commands. The debug interface component exposes sensitive database operations that, in Control-M/MFT's architecture, can interact with file system operations and potentially command execution functions. The affected versions 9.0.20 through 9.0.22 share this unsafe dynamic SQL handling pattern in their API layer.
RemediationAI
Apply BMC patch PAAFP-9-0-22-025, available via the vendor's patch management portal at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/. Organizations should upgrade affected 9.0.20-9.0.22 installations to the patched 9.0.22 build incorporating this fix. As an interim compensating control, if patching cannot be immediately deployed, disable or restrict network access to the MFT API debug interface and review authentication mechanisms to ensure least-privilege access for API credentials. Monitor database and API logs for anomalous SQL query patterns or unexpected file system operations. Consult BMC's support resources at https://www.bmc.com/support/resources/issue-defect-management.html for deployment guidance and validation procedures.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21370
GHSA-wc24-xjh6-92j4