Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
Published: 2026-04-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A SQL injection flaw exists in the MFT API debug interface of BMC Control‑M/MFT versions 9.0.20 through 9.0.22. The weakness arises from improper input validation and the use of unsafe dynamic SQL, allowing an authenticated user to inject arbitrary SQL statements. Successful exploitation can read or write files on the underlying system and may allow arbitrary code execution. The flaw corresponds to CWE‑89, the classic SQL injection defect.

Affected Systems

BMC Control‑M/MFT 9.0.20, 9.0.21, and 9.0.22 are affected. No other product versions are known to be impacted. Administrators should verify whether their installations include these specific releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, classifying it as High severity, while the EPSS score is below 1%, indicating a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is remote over the network, as the debug interface is accessed via the MFT API over HTTP/HTTPS. Exploitation requires authenticated access to the API; once authenticated, the attacker can craft malicious queries to perform file manipulation and potentially execute system commands.

Generated by OpenCVE AI on April 14, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch 9.0.22-025 to eliminate the SQL injection flaw.
  • Upgrade to a newer, unpatched version of BMC Control‑M/MFT if available.
  • If a patch is not yet available, restrict network access to the MFT API debug interface or disable it entirely.
  • Monitor system logs for suspicious SQL activity and signs of unauthorized file changes.

Generated by OpenCVE AI on April 14, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Bmc control-m\/managed File Transfer
CPEs cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:*
Vendors & Products Bmc control-m\/managed File Transfer

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in BMC Control‑M/MFT Debug API Enables Remote Code Execution

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in BMC Control‑M/MFT API Debug Interface Enables Remote Code Execution
Weaknesses CWE-20

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in BMC Control‑M/MFT API Debug Interface Enables Remote Code Execution
Weaknesses CWE-20
CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc control-m
Vendors & Products Bmc
Bmc control-m

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
References

Subscriptions

Bmc Control-m Control-m\/managed File Transfer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T13:56:44.167Z

Reserved: 2026-01-16T00:00:00.000Z

Link: CVE-2026-23780

cve-icon Vulnrichment

Updated: 2026-04-14T13:56:37.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T15:16:23.083

Modified: 2026-04-27T19:11:56.540

Link: CVE-2026-23780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses