A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent
Description
A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent
Remediation
Update to patched version immediately. Review user permissions and access controls.
Executive Summary:
A critical vulnerability has been identified in out-of-support versions of BMC Control-M/Agent. This flaw allows an attacker to bypass security access controls, potentially leading to unauthorized command execution and compromise of the job scheduling environment. Due to the critical severity rating, immediate action is required to mitigate the significant risk of system compromise and operational disruption.
Vulnerability Details
CVE-ID: CVE-2025-55113
Affected Software: BMC Control-M/Agent
Affected Versions: Versions 9.0.18 to 9.0.20, and potentially earlier unsupported versions.
Vulnerability: The vulnerability is an Access Control List (ACL) bypass that occurs when the Control-M/Agent is configured to enforce its own ACLs while using the legacy "C router" component. An unauthenticated remote attacker can exploit this condition to submit requests that are not properly validated by the ACLs. This allows the attacker to perform unauthorized actions, such as executing arbitrary jobs or commands on the agent host with the privileges of the agent's service account.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.0, posing a significant threat to business operations. Successful exploitation could lead to unauthorized access to critical infrastructure, execution of malicious code, disruption of automated business processes, and potential exfiltration of sensitive data managed by the agent. The direct business impact includes potential financial loss from operational downtime, reputational damage, and the risk of attackers using the compromised agent as a pivot point for further lateral movement within the corporate network.
Remediation Plan
Immediate Action: Upgrade all affected instances of Control-M/Agent to the latest supported version as recommended by the vendor. Since the vulnerable versions are out-of-support, a direct patch is unlikely, making an upgrade the only viable permanent solution. Prioritize upgrading agents that are exposed to less trusted networks.
Proactive Monitoring: Implement enhanced monitoring on systems running vulnerable versions of Control-M/Agent. Scrutinize agent diagnostic and security logs for unauthorized job submissions, connections from unexpected IP addresses, or actions that violate configured ACL policies. Monitor network traffic to and from the agent for unusual patterns or payloads indicative of an exploit attempt.
Compensating Controls: If an immediate upgrade is not feasible, implement compensating controls to reduce the risk. Enforce strict network segmentation to isolate vulnerable agents from the broader network, allowing communication only with trusted Control-M/Server components. Deploy host-based and network firewall rules to restrict inbound connections to the agent's communication ports from only authorized sources.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 16, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in unsupported enterprise software are prime targets for threat actors, and the detailed description could enable reverse engineering and exploit development.
Analyst Recommendation
Given the critical CVSS score of 9.0 and the fact that this vulnerability affects unsupported software, we strongly recommend that organizations treat this as a high-priority issue. The primary and most effective course of action is to identify and upgrade all vulnerable Control-M/Agent installations to a current, fully supported version immediately. While this CVE is not currently on the CISA KEV list, its severity warrants urgent attention to prevent potential exploitation and compromise of critical business automation infrastructure.