Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
Published: 2026-04-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to MFT API debug interface
Action: Apply Patch
AI Analysis

Impact

A set of default debug user credentials is embedded in cleartext within BMC Control‑M/MFT versions 9.0.20 through 9.0.22. The presence of these credentials means that the application can be accessed without any password change until the patch is applied. This vulnerability allows an unauthenticated attacker to log into the debug interface of the MFT API. Based on the description, it is inferred that such access could potentially expose sensitive configuration data or internal logs, but the CVE does not explicitly state the extent of actions an attacker could perform beyond obtaining API access.

Affected Systems

BMC Control‑M and MFT versions 9.0.20, 9.0.21, and 9.0.22 are affected by the hard‑coded credentials.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, reflecting the high impact of unauthorized API access. The EPSS score is less than 1%, suggesting current exploitation is rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network access to the MFT API combined with the use of predictable default credentials, an inference drawn from the nature of the hard‑coded credentials described.

Generated by OpenCVE AI on April 14, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch Control‑M‑MFT‑PAAFP‑9‑0‑22‑025 to remove hard‑coded credentials from the application package.
  • Verify the patch by confirming that the original default debug credentials no longer work for API access.
  • Limit exposure of the MFT API debug interface by configuring firewall or network segmentation rules so that only trusted hosts can reach it.
  • Conduct regular audits for other default or weak credentials and enforce password changes during installation and configuration updates.

Generated by OpenCVE AI on April 14, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Bmc control-m\/managed File Transfer
CPEs cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:*
Vendors & Products Bmc control-m\/managed File Transfer

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Hard‑Coded Default Debug Credentials in BMC Control‑M/MFT

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Hardcoded Default Debug Credentials in BMC Control‑M/MFT 9.0.20–9.0.22 Permit Unauthorized API Access
Weaknesses CWE-259

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Hardcoded Default Debug Credentials in BMC Control‑M/MFT 9.0.20–9.0.22 Permit Unauthorized API Access
Weaknesses CWE-259

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc control-m
Vendors & Products Bmc
Bmc control-m

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
References

Subscriptions

Bmc Control-m Control-m\/managed File Transfer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:29:17.309Z

Reserved: 2026-01-16T00:00:00.000Z

Link: CVE-2026-23781

cve-icon Vulnrichment

Updated: 2026-04-14T14:28:46.129Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:30.400

Modified: 2026-04-27T19:11:38.623

Link: CVE-2026-23781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses