The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration).
NOTE:
* The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent.
* The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS
References
Configurations
No configuration.
History
18 Nov 2025, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS |
05 Nov 2025, 09:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-05 09:15
Updated : 2025-11-18 15:16
NVD link : CVE-2025-55108
Mitre link : CVE-2025-55108
CVE.ORG link : CVE-2025-55108
JSON object : View
Products Affected
No product.
CWE
CWE-306
Missing Authentication for Critical Function