CVE-2025-55118
HIGHControl-M/Agent <9.0.20,9.0.21,9.0.22 - Memory Corruption
Title source: llmDescription
Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n"
References (2)
Core 2
Core References
Various Sources vendor-advisory
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099
Various Sources mitigation
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441972
Scores
CVSS v3
8.9
EPSS
0.0034
EPSS Percentile
25.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-122
CWE-125
CWE-191
CWE-415
CWE-416
CWE-665
CWE-787
CWE-835
Status
published
Products (5)
BMC/Control-M/Agent
9.0.18
BMC/Control-M/Agent
9.0.19
BMC/Control-M/Agent
9.0.20
BMC/Control-M/Agent
9.0.21
BMC/Control-M/Agent
9.0.22.000
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026