CVE-2025-55109

BMC Software · Control-M/Agent

Out-of-support versions of the BMC Control-M/Agent contain an authentication bypass vulnerability due to the use of an empty or default kdb keystore.

Executive summary

An authentication bypass vulnerability in legacy BMC Control-M/Agent versions allows unauthorized access, potentially compromising the integrity of automated batch processing environments.

Vulnerability

The vulnerability stems from the use of insecure, default, or empty kdb keystore configurations. This allows unauthenticated remote attackers to bypass security mechanisms and interact with the agent directly.

Business impact

Successful exploitation allows an attacker to gain unauthorized access to the Control-M/Agent, which can lead to the manipulation of sensitive batch jobs, data exfiltration, or complete system compromise. The CVSS score of 9.0 reflects the high risk of unauthorized access to critical enterprise orchestration tools.

Remediation

Immediate Action: Since the affected versions are out-of-support, administrators must upgrade to a modern, supported version of the Control-M/Agent immediately.

Proactive Monitoring: Monitor agent communication logs for any unauthorized connection attempts or unexpected configuration changes.

Compensating Controls: Restrict network access to the Control-M/Agent using host-based firewalls or network access control lists to only allow traffic from authorized Control-M Server IPs.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is particularly dangerous because it affects legacy versions that are no longer receiving standard security updates. Organizations must treat this as a high-priority migration task, as the use of default security configurations leaves these agents highly susceptible to unauthorized remote access.