An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
Credentials for the debug account are stored in cleartext directly in the application package files — this is a case of CWE-798 (hardcoded credentials). An attacker can read this data by analyzing the contents of the installation package or application files without needing privileges or conducting advanced activities. If the credentials have not been changed by the administrator, they can be used to log into the MFT debug API interface over the network without any additional authorization.
An attacker gains unauthorized access to the BMC Control-M/MFT debug API interface, which — with a CVSS score of 9.8 (C:H/I:H/A:H) — can lead to complete compromise of confidentiality, integrity, and availability of processed files and system configuration.
Apply the Control-M MFT patch PAAFP-9-0-22-025 available for version 9.0.22 according to the vendor documentation at the address indicated in the references. Additionally, immediately change or disable default credentials for the debug interface access, and restrict access to the MFT debug API interface at the firewall level to trusted administrative addresses only.
BMC Control-M/Managed File Transfer in versions 9.0.20 and 9.0.21 and 9.0.22 (range 9.0.20 to 9.0.22)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBmc Control M\/managed File Transfer
APPBmc9.0.20 – 9.0.22
Related vulnerabilities
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT A...
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthen...
BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta
BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore
Path traversal w BMC Control-M/Agent prowadzący do privilege escalation