HIGH✓ PATCH🇬🇧 English

CVE-2026-23782

CVSS 7.5v3.1pub. 2026-04-10upd. 2026-04-27

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Bmc Control M\/managed File Transfer

    APP
    Bmc
    9.0.20 – 9.0.22
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2026-23781CRITICAL9.8PL ✓ten sam produkt

BMC Control-M/MFT — zakodowane na stałe dane logowania w kodzie (hardcoded credentials)

CVE-2026-23780HIGH8.8ten sam produkt

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT A...

CVE-2025-55113CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta

CVE-2025-55109CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore

CVE-2025-55115CRITICAL9.3PL ✓ten sam vendor

Path traversal w BMC Control-M/Agent prowadzący do privilege escalation