CVE-2026-10539

CRITICAL

Unauthenticated command injection in Control-M/Server communication command

Title source: cna
STIX 2.1

Description

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

Scores

CVSS v3 9.0
EPSS 0.0024
EPSS Percentile 14.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-305
Status published
Products (2)
BMC/Control-M/Server 9.0.20 - 9.0.21.200
BMC/Control-M/Server 9.0.21.300
Published Jul 01, 2026
Tracked Since Jul 01, 2026