Skip to main content

BMC Control-M CVE-2026-23781

| EUVDEUVD-2026-21404 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-04-10 mitre GHSA-76mr-v53w-7h6c
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:25 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21404
CVE Published
Apr 10, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

AnalysisAI

Hardcoded debug credentials in BMC Control-M/MFT 9.0.20-9.0.22 enable unauthenticated remote attackers to access the MFT API debug interface with full system privileges. The vulnerability (CWE-798) stems from cleartext default credentials embedded in the application package, providing complete confidentiality, integrity, and availability compromise (CVSS 9.8). No public exploit identified at time of analysis, with EPSS score of 0.02% indicating low observed exploitation activity despite critical severity rating.

Technical ContextAI

BMC Control-M/MFT is an enterprise managed file transfer solution used for secure data exchange in production environments. This vulnerability involves CWE-798 (Use of Hard-coded Credentials), where default debug user credentials are embedded in cleartext within the application package itself. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates these credentials can be extracted remotely with no authentication required and low attack complexity. The debug interface likely provides administrative API access to MFT operations, potentially exposing file transfer configurations, credentials for connected systems, and control over data flows. Hard-coded credentials represent a systemic weakness in the build/deployment process, as they cannot be rotated without patching the software itself, and are identical across all installations unless manually changed post-deployment.

RemediationAI

Apply BMC patch PAAFP-9-0-22-025 immediately for Control-M/MFT 9.0.22 installations, available at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/. Organizations running 9.0.20 or 9.0.21 should contact BMC support via https://www.bmc.com/support/resources/issue-defect-management.html to obtain version-specific patches or upgrade guidance. As immediate mitigation before patching, verify that debug interfaces are disabled in production environments, restrict network access to MFT API endpoints using firewall rules limiting connections to authorized management networks only, and audit logs for any historical use of debug credentials. After patching, rotate all API credentials and review access logs for the debug interface to identify potential prior compromise. Defense-in-depth measures include implementing network segmentation to isolate MFT servers and enabling multi-factor authentication on administrative interfaces where supported.

Share

CVE-2026-23781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy