Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable messaging consumer (AV:N) but needs a privileged account (PR:H) and a non-trivial gadget chain (AC:H); deserialization impacts downstream components so S:C with full C/I/A loss.
Primary rating from Vendor (airbus).
CVSS VectorVendor: airbus
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
AnalysisAI
Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high privileges (CVSS PR:H) and the ability to reach the Control-M messaging consumer functionality that deserializes client-supplied content - this is the exact feature named in the description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real but non-trivial-to-exploit risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a high-privilege authenticated foothold (e.g., a compromised operator/admin account or malicious insider) crafts a malicious serialized object and submits it to the Control-M messaging consumer. Because allowed object types are not restricted, the server deserializes the payload and executes an attacker-influenced gadget chain, letting the actor manipulate server-side logic or run code on the automation server. … |
| Remediation | Because the impacted 9.0.20.x branch is out of support, the primary remediation is to upgrade Control-M/Server and Control-M/Enterprise Manager to a current, vendor-supported major release that is not affected, following the vendor knowledge article at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFKrCAO&type=Solution (no exact fixed 9.0.20.x version was provided in the input, so treat this as an upgrade-off-EOL action rather than an in-branch patch). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Control-M/Server and Enterprise Manager deployments; document version numbers and identify instances running 9.0.20.x or earlier; audit administrative account activity logs for the past 90 days. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Control M Enterprise Manager
View allSame weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40926
GHSA-w883-5vxm-2pq9