An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NBmc Control M\/managed File Transfer
APPBmc9.0.20 – 9.0.22
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
Related vulnerabilities
CVE-2026-23781CRITICAL9.8PL ✓ten sam produkt
BMC Control-M/MFT — zakodowane na stałe dane logowania w kodzie (hardcoded credentials)
CVE-2026-23780HIGH8.8ten sam produkt
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT A...
CVE-2025-55113CRITICAL9.5PL ✓ten sam vendor
BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta
CVE-2025-55109CRITICAL9.5PL ✓ten sam vendor
BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore
CVE-2025-55115CRITICAL9.3PL ✓ten sam vendor
Path traversal w BMC Control-M/Agent prowadzący do privilege escalation