Impact
A Control‑M/Server communication command does not properly filter or sanitize user‑supplied input, allowing an unauthenticated attacker to execute arbitrary commands on the affected server. The flaw permits the attacker to run any code with the privileges of the Control‑M/Server process, potentially leading to complete system compromise. This vulnerability is classified as CWE‑305 and is rated high impact by the CVSS score of 9.5.
Affected Systems
The vulnerability affects BMC Control‑M/Server versions 9.0.20.x through 9.0.21.200 inclusive, and may also exist in earlier unsupported releases.
Risk and Exploitability
The elevated CVSS score indicates severe severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, unauthenticated. An attacker with network reach to the Control‑M/Server interface could exploit the command injection without authentication, leading to uncompromised full control over the server.
OpenCVE Enrichment