CVE-2025-55108
CRITICALBMC Control-M/Agent 9.0.18-9.0.22 - Unauthenticated Remote Code Execution and Arbitrary File Read/Write
Title source: llmDescription
The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS
References (3)
Core 3
Core References
Various Sources vendor-advisory
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099
Various Sources mitigation
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962
Various Sources mitigation
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271
Scores
CVSS v3
10.0
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (5)
BMC/Control-M/Agent
9.0.18
BMC/Control-M/Agent
9.0.19
BMC/Control-M/Agent
9.0.20
BMC/Control-M/Agent
9.0.21
BMC/Control-M/Agent
9.0.22
Published
Nov 05, 2025
Tracked Since
Feb 18, 2026