Impact
The vulnerability arises from improper deserialization of user‑controlled data within the messaging consumer of BMC Control‑M Enterprise Manager and BMC Control‑M Server, with no restriction on permitted object types, as defined by CWE‑502. It allows an authenticated attacker to craft serialized payloads that can trigger unintended server‑side behavior, including the possibility of arbitrary code execution or data corruption. The primary impact is therefore the potential for full compromise of the affected server.
Affected Systems
Affected products include BMC Control‑M Enterprise Manager and BMC Control‑M Server, specifically the out‑of‑support version 9.0.20.x and potentially earlier releases. Those versions are no longer supported and possess lax serialization controls in their messaging integration.
Risk and Exploitability
Based on the description, the likely attack vector is the messaging consumer that accepts serialized input; an authenticated attacker must first obtain valid credentials to engage the vulnerable endpoint. The CVSS score of 8.9 indicates a high severity risk, and while the EPSS score is unavailable, the vulnerability is not listed in the CISA KEV catalog. Given its high severity and the requirement for authentication, the risk remains significant for any environment still operating the vulnerable Control‑M releases.
OpenCVE Enrichment