Control M Enterprise Manager
Monthly
Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.