Skip to main content

Control-M/Server EUVDEUVD-2026-40925

| CVE-2026-10539 CRITICAL
Authentication Bypass by Primary Weakness (CWE-305)
2026-07-01 airbus GHSA-qhfm-m6pm-jrq6
9.5
CVSS 4.0 · Vendor: airbus
Share

Severity by source

Vendor (airbus) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

Network-reachable and unauthenticated (AV:N/PR:N), but the 'under certain conditions' precondition maps to AC:H; injected commands executed by the server escape the component boundary (S:C) with full C/I/A loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (airbus).

CVSS VectorVendor: airbus

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 08:30 vuln.today

DescriptionCVE.org

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.

This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

AnalysisAI

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Control-M/Server communication port
Delivery
Send crafted command with unsanitized input
Exploit
Bypass authentication on command path
Execution
Server executes injected command
Impact
Full server compromise

Vulnerability AssessmentAI

Exploitation Exploitation targets the Control-M/Server communication command interface, which is network-reachable and, per the CVSS vector (PR:N/UI:N), requires no authentication and no user interaction against Control-M/Server 9.0.20.x-9.0.21.200. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS number: the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with High confidentiality, integrity, and availability impact on both the vulnerable and subsequent systems (VC/VI/VA:H and SC/SI/SA:H), yielding a 9.5 critical score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a Control-M/Server instance sends a crafted message to the vulnerable communication command, injecting unsanitized input that the server executes, and - because no authentication is required - obtains unauthorized command execution leading to server compromise. Given the AT:P requirement, the attacker may first need a specific condition or configuration to be present on the target. …
Remediation Patch available per vendor advisory: consult BMC's knowledge article at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFZNCA4&type=Solution to obtain the fixed Control-M/Server build, as an exact fixed version number is not stated in the provided data - upgrade above 9.0.21.200 to the version BMC designates as remediated. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Control-M/Server instances in versions 9.0.20.x through 9.0.21.200 and restrict inbound network access to administrative subnets via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy