CVE-2026-10539 Overview
CVE-2026-10539 is a command injection vulnerability in BMC Control-M/Server. A communication command fails to sufficiently filter or sanitize user-supplied input. Under certain conditions, an unauthenticated attacker can execute unauthorized commands on the affected server, potentially leading to full server compromise.
The vulnerability affects Control-M/Server versions 9.0.20.x through 9.0.21.200 inclusive, and potentially earlier unsupported versions. The flaw is classified under [CWE-305] (Authentication Bypass by Primary Weakness) and carries a CVSS 4.0 score of 9.5.
Critical Impact
Unauthenticated remote attackers can execute arbitrary commands on Control-M/Server hosts, compromising enterprise job scheduling infrastructure and connected systems.
Affected Products
- BMC Control-M/Server versions 9.0.20.x through 9.0.21.200 (inclusive)
- Potentially earlier unsupported Control-M/Server versions
- Enterprise environments running Control-M workload automation
Discovery Timeline
- 2026-07-01 - CVE-2026-10539 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-10539
Vulnerability Analysis
CVE-2026-10539 stems from improper input validation in a Control-M/Server communication command handler. The command processes network-supplied data without adequate filtering or sanitization. Attackers can inject operating system commands that the server executes in the context of the Control-M service account.
Control-M/Server orchestrates enterprise batch workloads across heterogeneous systems. Compromising this component grants attackers access to job definitions, credentials for connected agents, and the ability to execute jobs on downstream infrastructure. The lateral movement potential is significant given Control-M's typical deployment as a central automation hub.
Root Cause
The root cause is missing input sanitization in a network-facing communication command. The associated weakness [CWE-305] indicates authentication controls do not adequately protect the affected code path. Requests reach the vulnerable command handler without proof of identity, and the handler passes untrusted input into a command execution context.
Attack Vector
The attack vector is network-based with low complexity and no privileges required. An attacker sends a crafted request to the Control-M/Server communication endpoint. The malicious payload embeds shell metacharacters or command separators that the server interprets during processing. Successful exploitation yields arbitrary command execution on the host.
No public proof-of-concept exploit is currently available. The vulnerability has not been observed in active exploitation and is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical specifics are described in the BMC Knowledge Article.
Detection Methods for CVE-2026-10539
Indicators of Compromise
- Unexpected child processes spawned by Control-M/Server service binaries or the associated service account
- Anomalous network connections to Control-M/Server communication ports from untrusted sources
- Unauthorized modifications to job definitions, scheduling configurations, or Control-M scripts
- Outbound connections from the Control-M/Server host to unknown external addresses following inbound communication requests
Detection Strategies
- Monitor process ancestry on Control-M/Server hosts for shell interpreters (cmd.exe, powershell.exe, /bin/sh, /bin/bash) spawned by Control-M service processes
- Inspect Control-M/Server communication logs for malformed requests containing shell metacharacters such as ;, |, &, backticks, or $()
- Baseline normal Control-M network traffic and alert on connections from unauthorized sources to Control-M communication ports
- Correlate authentication events with command execution activity to identify unauthenticated command flows
Monitoring Recommendations
- Enable verbose logging on Control-M/Server communication components and forward logs to a centralized SIEM
- Deploy endpoint telemetry on Control-M/Server hosts to capture process creation, command-line arguments, and network activity
- Alert on new scheduled jobs or job modifications made outside change-management windows
- Track file integrity for Control-M configuration directories and executable paths
How to Mitigate CVE-2026-10539
Immediate Actions Required
- Identify all Control-M/Server instances running versions 9.0.20.x through 9.0.21.200 and prioritize them for remediation
- Restrict network access to Control-M/Server communication ports using firewall rules, limiting connectivity to known agents and administrative hosts
- Review Control-M/Server logs for evidence of anomalous commands or unauthenticated requests
- Rotate credentials stored within Control-M if compromise is suspected
Patch Information
BMC has published remediation guidance in the BMC Knowledge Article. Administrators should apply the vendor-provided fixed version or hotfix for Control-M/Server as specified in the advisory. Verify the installed build after patching to confirm the fix is applied.
Workarounds
- Place Control-M/Server behind network segmentation that permits communication only from authorized Control-M agents and management workstations
- Enforce host-based firewall rules restricting inbound access to Control-M communication ports
- Run Control-M/Server under a least-privilege service account to constrain the impact of any successful command execution
- Increase monitoring on Control-M hosts until the vendor patch is applied and validated
# Example: restrict inbound access to Control-M/Server communication port
# Replace CTM_PORT and TRUSTED_SUBNET with environment-specific values
iptables -A INPUT -p tcp --dport ${CTM_PORT} -s ${TRUSTED_SUBNET} -j ACCEPT
iptables -A INPUT -p tcp --dport ${CTM_PORT} -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

