CVE-2026-10538
BMC Software · Control-M/Server and Control-M/Enterprise Manager
A deserialization vulnerability in Control-M/Server and Control-M/Enterprise Manager allows unauthorized execution of arbitrary code via the messaging consumer functionality.
Executive summary
Control-M/Server and Control-M/Enterprise Manager version 9 contain a critical deserialization flaw that may allow attackers to execute arbitrary code within the application environment.
Vulnerability
The messaging consumer functionality fails to restrict allowed object types during deserialization. An attacker can leverage this vulnerability to inject malicious objects, potentially leading to remote code execution.
Business impact
Successful exploitation allows an attacker to compromise the Control-M environment, which often holds high-level privileges for orchestrating enterprise workflows. With a CVSS score of 8.0, this vulnerability poses a severe threat to data integrity and system confidentiality, potentially granting attackers full control over automated business processes.
Remediation
Immediate Action: Upgrade from the end-of-life version 9 to a currently supported version of Control-M as specified by the vendor.
Proactive Monitoring: Review messaging logs for unusual traffic patterns or unauthorized deserialization attempts within the application framework.
Compensating Controls: Restrict network access to the Control-M management interface to authorized administrative segments only, utilizing strict firewall rules.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The reliance on out-of-support software presents an unacceptable risk to the enterprise. Organizations must migrate to a supported version immediately to ensure that security patches are available and that the environment is protected against known deserialization vectors.