CVE-2026-10539
CRITICALUnauthenticated command injection in Control-M/Server communication command
Title source: cnaDescription
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
References (1)
Core 1
Scores
CVSS v3
9.0
EPSS
0.0024
EPSS Percentile
14.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-305
Status
published
Products (2)
BMC/Control-M/Server
9.0.20 - 9.0.21.200
BMC/Control-M/Server
9.0.21.300
Published
Jul 01, 2026
Tracked Since
Jul 01, 2026