CVE-2026-23781

CRITICAL

BMC Control-M/MFT 9.0.20-9.0.22 - Auth Bypass

Title source: llm

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

References (2)

https://www.bmc.com/support/resources/issue-defect-management.html

https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 20.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (1)

bmc/control-m\/managed_file_transfer 9.0.20 - 9.0.22

Published Apr 10, 2026

Tracked Since Apr 10, 2026