CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-23781

CVSS 9.8v3.1pub. 2026-04-10upd. 2026-04-27

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

🤖 AI Analysis
How it works

Credentials for the debug account are stored in cleartext directly in the application package files — this is a case of CWE-798 (hardcoded credentials). An attacker can read this data by analyzing the contents of the installation package or application files without needing privileges or conducting advanced activities. If the credentials have not been changed by the administrator, they can be used to log into the MFT debug API interface over the network without any additional authorization.

Impact

An attacker gains unauthorized access to the BMC Control-M/MFT debug API interface, which — with a CVSS score of 9.8 (C:H/I:H/A:H) — can lead to complete compromise of confidentiality, integrity, and availability of processed files and system configuration.

Mitigation & patch

Apply the Control-M MFT patch PAAFP-9-0-22-025 available for version 9.0.22 according to the vendor documentation at the address indicated in the references. Additionally, immediately change or disable default credentials for the debug interface access, and restrict access to the MFT debug API interface at the firewall level to trusted administrative addresses only.

Who is affected

BMC Control-M/Managed File Transfer in versions 9.0.20 and 9.0.21 and 9.0.22 (range 9.0.20 to 9.0.22)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Bmc Control M\/managed File Transfer

    APP
    Bmc
    9.0.20 – 9.0.22
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-23780HIGH8.8ten sam produkt

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT A...

CVE-2026-23782HIGH7.5ten sam produkt

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthen...

CVE-2025-55113CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta

CVE-2025-55109CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore

CVE-2025-55115CRITICAL9.3PL ✓ten sam vendor

Path traversal w BMC Control-M/Agent prowadzący do privilege escalation