Skip to main content

BMC Control-M EUVDEUVD-2026-40926

| CVE-2026-10538 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-01 airbus GHSA-w883-5vxm-2pq9
8.9
CVSS 4.0 · Vendor: airbus
Share

Severity by source

Vendor (airbus) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Network-reachable messaging consumer (AV:N) but needs a privileged account (PR:H) and a non-trivial gadget chain (AC:H); deserialization impacts downstream components so S:C with full C/I/A loss.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (airbus).

CVSS VectorVendor: airbus

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 09:01 EUVD
Analysis Generated
Jul 01, 2026 - 08:34 vuln.today

DescriptionCVE.org

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

AnalysisAI

Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege authenticated access
Delivery
Reach Control-M messaging consumer channel
Exploit
Submit crafted serialized object
Execution
Server deserializes unrestricted object types
Persist
Trigger gadget chain server-side execution
Impact
Compromise automation server and downstream systems

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high privileges (CVSS PR:H) and the ability to reach the Control-M messaging consumer functionality that deserializes client-supplied content - this is the exact feature named in the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real but non-trivial-to-exploit risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a high-privilege authenticated foothold (e.g., a compromised operator/admin account or malicious insider) crafts a malicious serialized object and submits it to the Control-M messaging consumer. Because allowed object types are not restricted, the server deserializes the payload and executes an attacker-influenced gadget chain, letting the actor manipulate server-side logic or run code on the automation server. …
Remediation Because the impacted 9.0.20.x branch is out of support, the primary remediation is to upgrade Control-M/Server and Control-M/Enterprise Manager to a current, vendor-supported major release that is not affected, following the vendor knowledge article at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFKrCAO&type=Solution (no exact fixed 9.0.20.x version was provided in the input, so treat this as an upgrade-off-EOL action rather than an in-branch patch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Control-M/Server and Enterprise Manager deployments; document version numbers and identify instances running 9.0.20.x or earlier; audit administrative account activity logs for the past 90 days. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy