Description
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. 



This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
Published: 2026-07-01
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Control‑M/Server communication command does not properly filter or sanitize user‑supplied input, allowing an unauthenticated attacker to execute arbitrary commands on the affected server. The flaw permits the attacker to run any code with the privileges of the Control‑M/Server process, potentially leading to complete system compromise. This vulnerability is classified as CWE‑305 and is rated high impact by the CVSS score of 9.5.

Affected Systems

The vulnerability affects BMC Control‑M/Server versions 9.0.20.x through 9.0.21.200 inclusive, and may also exist in earlier unsupported releases.

Risk and Exploitability

The elevated CVSS score indicates severe severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, unauthenticated. An attacker with network reach to the Control‑M/Server interface could exploit the command injection without authentication, leading to uncompromised full control over the server.

Generated by OpenCVE AI on July 1, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided fix outlined in BMC’s Knowledge Article at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFZNCA4&type=Solution, which addresses the command injection flaw.
  • Immediately restrict external access to Control‑M/Server by limiting inbound traffic to trusted networks or configuring firewall rules to block the relevant communication ports for unauthenticated users.
  • Disable or isolate any unused Control‑M/Server services that expose the vulnerable communication command, and regularly monitor system logs for suspicious command execution activity.

Generated by OpenCVE AI on July 1, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
Title Unauthenticated command injection in Control-M/Server communication command
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: airbus

Published:

Updated: 2026-07-01T12:29:09.837Z

Reserved: 2026-06-01T12:16:11.016Z

Link: CVE-2026-10539

cve-icon Vulnrichment

Updated: 2026-07-01T12:29:06.500Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses
  • CWE-305

    Authentication Bypass by Primary Weakness