Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10539

CVE-2026-10539: Control-M/Server RCE Vulnerability

CVE-2026-10539 is a remote code execution vulnerability in Control-M/Server that allows unauthenticated attackers to execute unauthorized commands. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-10539 Overview

CVE-2026-10539 is a command injection vulnerability in BMC Control-M/Server. A communication command fails to sufficiently filter or sanitize user-supplied input. Under certain conditions, an unauthenticated attacker can execute unauthorized commands on the affected server, potentially leading to full server compromise.

The vulnerability affects Control-M/Server versions 9.0.20.x through 9.0.21.200 inclusive, and potentially earlier unsupported versions. The flaw is classified under [CWE-305] (Authentication Bypass by Primary Weakness) and carries a CVSS 4.0 score of 9.5.

Critical Impact

Unauthenticated remote attackers can execute arbitrary commands on Control-M/Server hosts, compromising enterprise job scheduling infrastructure and connected systems.

Affected Products

  • BMC Control-M/Server versions 9.0.20.x through 9.0.21.200 (inclusive)
  • Potentially earlier unsupported Control-M/Server versions
  • Enterprise environments running Control-M workload automation

Discovery Timeline

  • 2026-07-01 - CVE-2026-10539 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-10539

Vulnerability Analysis

CVE-2026-10539 stems from improper input validation in a Control-M/Server communication command handler. The command processes network-supplied data without adequate filtering or sanitization. Attackers can inject operating system commands that the server executes in the context of the Control-M service account.

Control-M/Server orchestrates enterprise batch workloads across heterogeneous systems. Compromising this component grants attackers access to job definitions, credentials for connected agents, and the ability to execute jobs on downstream infrastructure. The lateral movement potential is significant given Control-M's typical deployment as a central automation hub.

Root Cause

The root cause is missing input sanitization in a network-facing communication command. The associated weakness [CWE-305] indicates authentication controls do not adequately protect the affected code path. Requests reach the vulnerable command handler without proof of identity, and the handler passes untrusted input into a command execution context.

Attack Vector

The attack vector is network-based with low complexity and no privileges required. An attacker sends a crafted request to the Control-M/Server communication endpoint. The malicious payload embeds shell metacharacters or command separators that the server interprets during processing. Successful exploitation yields arbitrary command execution on the host.

No public proof-of-concept exploit is currently available. The vulnerability has not been observed in active exploitation and is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical specifics are described in the BMC Knowledge Article.

Detection Methods for CVE-2026-10539

Indicators of Compromise

  • Unexpected child processes spawned by Control-M/Server service binaries or the associated service account
  • Anomalous network connections to Control-M/Server communication ports from untrusted sources
  • Unauthorized modifications to job definitions, scheduling configurations, or Control-M scripts
  • Outbound connections from the Control-M/Server host to unknown external addresses following inbound communication requests

Detection Strategies

  • Monitor process ancestry on Control-M/Server hosts for shell interpreters (cmd.exe, powershell.exe, /bin/sh, /bin/bash) spawned by Control-M service processes
  • Inspect Control-M/Server communication logs for malformed requests containing shell metacharacters such as ;, |, &, backticks, or $()
  • Baseline normal Control-M network traffic and alert on connections from unauthorized sources to Control-M communication ports
  • Correlate authentication events with command execution activity to identify unauthenticated command flows

Monitoring Recommendations

  • Enable verbose logging on Control-M/Server communication components and forward logs to a centralized SIEM
  • Deploy endpoint telemetry on Control-M/Server hosts to capture process creation, command-line arguments, and network activity
  • Alert on new scheduled jobs or job modifications made outside change-management windows
  • Track file integrity for Control-M configuration directories and executable paths

How to Mitigate CVE-2026-10539

Immediate Actions Required

  • Identify all Control-M/Server instances running versions 9.0.20.x through 9.0.21.200 and prioritize them for remediation
  • Restrict network access to Control-M/Server communication ports using firewall rules, limiting connectivity to known agents and administrative hosts
  • Review Control-M/Server logs for evidence of anomalous commands or unauthenticated requests
  • Rotate credentials stored within Control-M if compromise is suspected

Patch Information

BMC has published remediation guidance in the BMC Knowledge Article. Administrators should apply the vendor-provided fixed version or hotfix for Control-M/Server as specified in the advisory. Verify the installed build after patching to confirm the fix is applied.

Workarounds

  • Place Control-M/Server behind network segmentation that permits communication only from authorized Control-M agents and management workstations
  • Enforce host-based firewall rules restricting inbound access to Control-M communication ports
  • Run Control-M/Server under a least-privilege service account to constrain the impact of any successful command execution
  • Increase monitoring on Control-M hosts until the vendor patch is applied and validated
bash
# Example: restrict inbound access to Control-M/Server communication port
# Replace CTM_PORT and TRUSTED_SUBNET with environment-specific values
iptables -A INPUT -p tcp --dport ${CTM_PORT} -s ${TRUSTED_SUBNET} -j ACCEPT
iptables -A INPUT -p tcp --dport ${CTM_PORT} -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.