Skip to main content

Control M Server

3 CVEs product

Monthly

CVE-2026-10538 HIGH PATCH This Week

Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Deserialization Control M Enterprise Manager Control M Server
NVD VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-10539 CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.2%
CVE-2025-48709 MEDIUM Monitor

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Control M Server Windows
NVD
CVSS 4.0
4.8
EPSS
0.0%
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Deserialization Control M Enterprise Manager Control M Server
NVD VulDB
EPSS 0% CVSS 9.5
CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM Monitor

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Control M Server +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy