A critical vulnerability has been identified in out-of-support versions of BMC Control-M/Agent. This flaw allows an attacker to bypass security access controls, potentially leading to unauthorized command execution and compromise of the job scheduling environment. Due to the critical severity rating, immediate action is required to mitigate the significant risk of system compromise and operational disruption.

The vulnerability is an Access Control List (ACL) bypass that occurs when the Control-M/Agent is configured to enforce its own ACLs while using the legacy "C router" component. An unauthenticated remote attacker can exploit this condition to submit requests that are not properly validated by the ACLs. This allows the attacker to perform unauthorized actions, such as executing arbitrary jobs or commands on the agent host with the privileges of the agent's service account.

This vulnerability is rated as critical severity with a CVSS score of 9.0, posing a significant threat to business operations. Successful exploitation could lead to unauthorized access to critical infrastructure, execution of malicious code, disruption of automated business processes, and potential exfiltration of sensitive data managed by the agent. The direct business impact includes potential financial loss from operational downtime, reputational damage, and the risk of attackers using the compromised agent as a pivot point for further lateral movement within the corporate network.

Immediate Action: Upgrade all affected instances of Control-M/Agent to the latest supported version as recommended by the vendor. Since the vulnerable versions are out-of-support, a direct patch is unlikely, making an upgrade the only viable permanent solution. Prioritize upgrading agents that are exposed to less trusted networks.

Proactive Monitoring: Implement enhanced monitoring on systems running vulnerable versions of Control-M/Agent. Scrutinize agent diagnostic and security logs for unauthorized job submissions, connections from unexpected IP addresses, or actions that violate configured ACL policies. Monitor network traffic to and from the agent for unusual patterns or payloads indicative of an exploit attempt.

Compensating Controls: If an immediate upgrade is not feasible, implement compensating controls to reduce the risk. Enforce strict network segmentation to isolate vulnerable agents from the broader network, allowing communication only with trusted Control-M/Server components. Deploy host-based and network firewall rules to restrict inbound connections to the agent's communication ports from only authorized sources.

Public Exploit Available: false

Given the critical CVSS score of 9.0 and the fact that this vulnerability affects unsupported software, we strongly recommend that organizations treat this as a high-priority issue. The primary and most effective course of action is to identify and upgrade all vulnerable Control-M/Agent installations to a current, fully supported version immediately. While this CVE is not currently on the CISA KEV list, its severity warrants urgent attention to prevent potential exploitation and compromise of critical business automation infrastructure.