CVE-2026-10538

BMC Software · Control-M/Server and Control-M/Enterprise Manager

A deserialization vulnerability in Control-M/Server and Control-M/Enterprise Manager allows unauthorized execution of arbitrary code via the messaging consumer functionality.

Executive summary

Control-M/Server and Control-M/Enterprise Manager version 9 contain a critical deserialization flaw that may allow attackers to execute arbitrary code within the application environment.

Vulnerability

The messaging consumer functionality fails to restrict allowed object types during deserialization. An attacker can leverage this vulnerability to inject malicious objects, potentially leading to remote code execution.

Business impact

Successful exploitation allows an attacker to compromise the Control-M environment, which often holds high-level privileges for orchestrating enterprise workflows. With a CVSS score of 8.0, this vulnerability poses a severe threat to data integrity and system confidentiality, potentially granting attackers full control over automated business processes.

Remediation

Immediate Action: Upgrade from the end-of-life version 9 to a currently supported version of Control-M as specified by the vendor.

Proactive Monitoring: Review messaging logs for unusual traffic patterns or unauthorized deserialization attempts within the application framework.

Compensating Controls: Restrict network access to the Control-M management interface to authorized administrative segments only, utilizing strict firewall rules.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The reliance on out-of-support software presents an unacceptable risk to the enterprise. Organizations must migrate to a supported version immediately to ensure that security patches are available and that the environment is protected against known deserialization vectors.