CVE-2025-55113 Overview
CVE-2025-55113 is an Access Control List (ACL) bypass vulnerability in BMC Control-M/Agent. The flaw resides in the certificate verification logic used by the C router. When the Access Control List is enforced by Control-M/Agent and the C router is in use, the verification routine stops processing the email address in the client certificate at the first NULL byte. An attacker can supply a specially crafted certificate to bypass configured ACLs and gain unauthorized access. The C router is the default in out-of-support Control-M/Agent versions 9.0.18 through 9.0.20 and potentially earlier unsupported releases. Newer versions are not default-vulnerable but remain configurable to the vulnerable behavior via the JAVA_AR setting. The weakness is classified as [CWE-158] Improper Neutralization of Null Byte or NUL Character.
Critical Impact
A remote attacker can bypass Control-M/Agent ACLs using a crafted client certificate, gaining unauthorized command and job execution capability on enterprise workload automation infrastructure.
Affected Products
- BMC Control-M/Agent versions 9.0.18 through 9.0.20 (out-of-support, C router default)
- Earlier unsupported BMC Control-M/Agent versions using the C router
- Newer BMC Control-M/Agent versions when the JAVA_AR setting is configured to use the C router
Discovery Timeline
- 2025-09-16 - CVE-2025-55113 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2025-55113
Vulnerability Analysis
The vulnerability stems from how the C router component of Control-M/Agent parses the email address field embedded in client X.509 certificates. The routine treats the email string as a C-style null-terminated value. When the parser encounters a NULL byte (0x00) within the email attribute, it halts string evaluation at that point. An attacker who controls certificate generation can construct an email field such as trusted@victim.local\0attacker@evil.example. The ACL comparison sees only trusted@victim.local, while the full certificate may have been issued legitimately for the attacker-controlled domain after the NULL byte. The mismatch between certificate validation parsing and ACL enforcement parsing enables authentication-context spoofing without breaking certificate chain validation.
Root Cause
The root cause is improper neutralization of embedded NULL bytes in the certificate email Subject Alternative Name or subject field [CWE-158]. The C router relies on C string semantics rather than length-prefixed parsing aligned with ASN.1 encoded certificate fields. This parsing inconsistency between the certificate library and the ACL enforcement layer allows attackers to smuggle a controlled identity past authorization checks.
Attack Vector
The attack is network-reachable and requires no prior authentication. An attacker obtains or generates a certificate whose email attribute contains a NULL byte separating an allowed identity from an attacker-controlled identity. The crafted certificate is presented to the Control-M/Agent during the TLS handshake. The agent validates the certificate chain successfully because the trailing portion matches a domain the attacker legitimately controls. The ACL layer then truncates the email at the NULL byte and matches the prefix against an allowed entry. Successful bypass grants the attacker the privileges associated with the impersonated ACL entry on the Control-M/Agent host.
No public proof-of-concept code has been released. Refer to the BMC Knowledge Article #000441967 and BMC Knowledge Article #000442099 for vendor-specific technical details.
Detection Methods for CVE-2025-55113
Indicators of Compromise
- Client certificates presented to Control-M/Agent containing embedded NULL bytes (0x00) within the email or subject fields.
- Authentication events from Control-M/Agent where the source identity does not align with the source network address of the connecting host.
- Unexpected job submissions or command executions on Control-M/Agent hosts originating from external or non-management network segments.
- TLS handshakes terminating at Control-M/Agent ports from sources not present in baseline inventory.
Detection Strategies
- Inspect Control-M/Agent logs for ACL allow decisions correlated with unusual or first-seen client certificate fingerprints.
- Capture and parse client certificates from agent-bound TLS sessions to flag any certificate containing NULL bytes within RFC 822 name attributes.
- Baseline normal Control-M/Agent peers and alert on TLS connections from any source outside the established peer set.
- Monitor JAVA_AR configuration state across all Control-M/Agent installations to identify deployments that have selected the vulnerable C router path.
Monitoring Recommendations
- Centralize Control-M/Agent authentication and ACL decision logs into a SIEM and apply correlation rules for certificate anomalies.
- Track job execution lineage on Control-M/Agent hosts and alert on jobs initiated outside known scheduling windows or by unexpected principals.
- Continuously inventory installed Control-M/Agent versions to identify out-of-support 9.0.18 through 9.0.20 instances exposed on the network.
How to Mitigate CVE-2025-55113
Immediate Actions Required
- Identify all Control-M/Agent installations and confirm whether the C router is active by default or selected via the JAVA_AR setting.
- Apply the fixes referenced in BMC Knowledge Article #000441967 and BMC Knowledge Article #000442099.
- Upgrade out-of-support Control-M/Agent 9.0.18 through 9.0.20 deployments to a supported, patched release.
- Restrict network reachability of Control-M/Agent listeners to known management hosts using host-based and network firewalls.
Patch Information
BMC has published remediation guidance in BMC Knowledge Article #000441967 and BMC Knowledge Article #000442099. Customers running unsupported 9.0.18 through 9.0.20 builds must upgrade to a supported release, since fixes are not back-ported to out-of-support versions. Customers on newer versions should verify the JAVA_AR setting does not select the vulnerable C router.
Workarounds
- Switch Control-M/Agent from the C router to the Java router by configuring JAVA_AR to disable the vulnerable code path on versions that permit this option.
- Strictly limit the certificate authorities trusted by Control-M/Agent so that attackers cannot easily obtain certificates with controllable email attributes.
- Enforce network segmentation so only authorized Control-M/Server hosts can reach Control-M/Agent listening ports.
- Audit and prune Control-M/Agent ACL entries to minimize the identities a bypass could impersonate.
# Configuration example - switch to the Java router on supported versions
# Edit the Control-M/Agent configuration to set JAVA_AR
ctmsys -u <agent_user> -SET_AGENT_PARAM JAVA_AR Y
# Verify the active router configuration
ctmsys -u <agent_user> -GET_AGENT_PARAM JAVA_AR
# Restrict inbound connections to known Control-M/Server peers (Linux example)
iptables -A INPUT -p tcp --dport 7006 -s <control_m_server_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 7006 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

