Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
AnalysisAI
BMC Control-M/MFT 9.0.20-9.0.22 exposes API identifiers and secret values to unauthenticated remote attackers via an API management endpoint, enabling unauthorized invocation of privileged API operations. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible, low-complexity exploitation requiring no authentication. Despite a 7.5 CVSS score, EPSS probability is minimal (0.03%, 8th percentile), and no public exploit or active exploitation (non-KEV) is identified at time of analysis.
Technical ContextAI
Control-M/MFT is BMC's managed file transfer solution within the Control-M Orchestration suite. The vulnerability stems from improper access control (CWE-284) on an API management endpoint that exposes both API client identifiers and their corresponding secret credentials without requiring authentication. In typical OAuth2/API key architectures, client secrets must be protected as they function like passwords for programmatic access. This endpoint failure allows trivial credential harvesting. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates any remote attacker can retrieve these secrets via simple HTTP requests without user interaction. The S:U (unchanged scope) suggests exploitation remains within the vulnerable component's authorization boundary, though the C:H (high confidentiality impact) confirms significant data exposure. Available CPE data is non-specific, but vendor advisory references confirm the affected product as Control-M/MFT versions 9.0.20, 9.0.21, and 9.0.22.
RemediationAI
Apply vendor-released patch documented in BMC Control-M Server PACTV-9-0-21-308 or later maintenance release as referenced in https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-308. Organizations running 9.0.20 or 9.0.22 should consult BMC's issue and defect management portal at https://www.bmc.com/support/resources/issue-defect-management.html to identify equivalent patches for their specific version. As an interim compensating control, restrict network access to Control-M/MFT API management endpoints using firewall rules or application-layer access controls to trusted administrative IP ranges only. Review API access logs for unauthorized credential retrieval attempts (GET requests to API management endpoints from unexpected sources) and rotate any potentially exposed API secrets. Organizations unable to patch immediately should consider temporarily disabling the vulnerable API management endpoint if business continuity permits, pending patch deployment.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21371
GHSA-83mf-f2q6-j3gg