Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of s...
Description
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: BMC Software
PRODUCT: Control-M/Server and Control-M/Enterprise Manager
AFFECTED_VERSIONS: Version 9
---END_METADATA---
Description Summary:
A deserialization vulnerability in Control-M/Server and Control-M/Enterprise Manager allows unauthorized execution of arbitrary code via the messaging consumer functionality.
Executive Summary:
Control-M/Server and Control-M/Enterprise Manager version 9 contain a critical deserialization flaw that may allow attackers to execute arbitrary code within the application environment.
Vulnerability Details
CVE-ID: CVE-2026-10538
Affected Software: BMC Software Control-M/Server and Control-M/Enterprise Manager
Affected Versions: Version 9
Vulnerability: The messaging consumer functionality fails to restrict allowed object types during deserialization. An attacker can leverage this vulnerability to inject malicious objects, potentially leading to remote code execution.
Business Impact
Successful exploitation allows an attacker to compromise the Control-M environment, which often holds high-level privileges for orchestrating enterprise workflows. With a CVSS score of 8.0, this vulnerability poses a severe threat to data integrity and system confidentiality, potentially granting attackers full control over automated business processes.
Remediation Plan
Immediate Action: Upgrade from the end-of-life version 9 to a currently supported version of Control-M as specified by the vendor.
Proactive Monitoring: Review messaging logs for unusual traffic patterns or unauthorized deserialization attempts within the application framework.
Compensating Controls: Restrict network access to the Control-M management interface to authorized administrative segments only, utilizing strict firewall rules.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of July 1, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The reliance on out-of-support software presents an unacceptable risk to the enterprise. Organizations must migrate to a supported version immediately to ensure that security patches are available and that the environment is protected against known deserialization vectors.