Description
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
Published: 2026-07-01
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper deserialization of user‑controlled data within the messaging consumer of BMC Control‑M Enterprise Manager and BMC Control‑M Server, with no restriction on permitted object types, as defined by CWE‑502. It allows an authenticated attacker to craft serialized payloads that can trigger unintended server‑side behavior, including the possibility of arbitrary code execution or data corruption. The primary impact is therefore the potential for full compromise of the affected server.

Affected Systems

Affected products include BMC Control‑M Enterprise Manager and BMC Control‑M Server, specifically the out‑of‑support version 9.0.20.x and potentially earlier releases. Those versions are no longer supported and possess lax serialization controls in their messaging integration.

Risk and Exploitability

Based on the description, the likely attack vector is the messaging consumer that accepts serialized input; an authenticated attacker must first obtain valid credentials to engage the vulnerable endpoint. The CVSS score of 8.9 indicates a high severity risk, and while the EPSS score is unavailable, the vulnerability is not listed in the CISA KEV catalog. Given its high severity and the requirement for authentication, the risk remains significant for any environment still operating the vulnerable Control‑M releases.

Generated by OpenCVE AI on July 1, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BMC Control‑M Enterprise Manager and Control‑M Server to the latest supported release that implements proper deserialization type validation.
  • If an upgrade cannot be performed immediately, disable or block the messaging consumer endpoint to prevent receipt of untrusted serialized data.
  • Enforce strict access controls on the messaging interface and limit authenticated user privileges so that even if a payload is delivered, the attacker cannot achieve high‑privilege actions.

Generated by OpenCVE AI on July 1, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
Title Improper deserialization handling in Control-M Components
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: airbus

Published:

Updated: 2026-07-01T12:24:04.644Z

Reserved: 2026-06-01T12:16:09.689Z

Link: CVE-2026-10538

cve-icon Vulnrichment

Updated: 2026-07-01T12:23:59.520Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data