Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
AnalysisAI
Hardcoded debug credentials in BMC Control-M/MFT 9.0.20-9.0.22 enable unauthenticated remote attackers to access the MFT API debug interface with full system privileges. The vulnerability (CWE-798) stems from cleartext default credentials embedded in the application package, providing complete confidentiality, integrity, and availability compromise (CVSS 9.8). No public exploit identified at time of analysis, with EPSS score of 0.02% indicating low observed exploitation activity despite critical severity rating.
Technical ContextAI
BMC Control-M/MFT is an enterprise managed file transfer solution used for secure data exchange in production environments. This vulnerability involves CWE-798 (Use of Hard-coded Credentials), where default debug user credentials are embedded in cleartext within the application package itself. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates these credentials can be extracted remotely with no authentication required and low attack complexity. The debug interface likely provides administrative API access to MFT operations, potentially exposing file transfer configurations, credentials for connected systems, and control over data flows. Hard-coded credentials represent a systemic weakness in the build/deployment process, as they cannot be rotated without patching the software itself, and are identical across all installations unless manually changed post-deployment.
RemediationAI
Apply BMC patch PAAFP-9-0-22-025 immediately for Control-M/MFT 9.0.22 installations, available at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/. Organizations running 9.0.20 or 9.0.21 should contact BMC support via https://www.bmc.com/support/resources/issue-defect-management.html to obtain version-specific patches or upgrade guidance. As immediate mitigation before patching, verify that debug interfaces are disabled in production environments, restrict network access to MFT API endpoints using firewall rules limiting connections to authorized management networks only, and audit logs for any historical use of debug credentials. After patching, rotate all API credentials and review access logs for the debug interface to identify potential prior compromise. Defense-in-depth measures include implementing network segmentation to isolate MFT servers and enabling multi-factor authentication on administrative interfaces where supported.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21404
GHSA-76mr-v53w-7h6c