CVE-2025-55108
📋 TL;DR
Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read/write, and other unauthorized actions when mutual SSL/TLS authentication is not enabled. This affects on-premises Control-M deployments using default configurations without proper SSL/TLS setup. Control-M SaaS deployments are not impacted.
💻 Affected Systems
- BMC Control-M/Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, modify files, and potentially pivot to other systems in the network.
Likely Case
Unauthenticated attackers gaining remote code execution and file system access on vulnerable Control-M/Agent instances.
If Mitigated
No impact when mutual SSL/TLS authentication is properly configured between Control-M Server and Agent.
🎯 Exploit Status
Vulnerability requires no authentication and affects default configurations, making exploitation straightforward for attackers who discover vulnerable instances.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisories for specific version updates
Vendor Advisory: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962
Restart Required: Yes
Instructions:
1. Apply latest Control-M patches from BMC. 2. Configure mutual SSL/TLS authentication between Control-M Server and Agent. 3. Restart affected services.
🔧 Temporary Workarounds
Enable Mutual SSL/TLS Authentication
allConfigure SSL/TLS with mutual authentication between Control-M Server and Agent as documented in BMC security best practices.
Refer to BMC documentation: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099
Network Segmentation
linuxRestrict network access to Control-M/Agent ports to only trusted Control-M Servers using firewall rules.
iptables -A INPUT -p tcp --dport <agent_port> -s <trusted_server_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <agent_port> -j DROP
🧯 If You Can't Patch
- Immediately enable mutual SSL/TLS authentication between all Control-M Server and Agent connections
- Implement strict network segmentation and firewall rules to limit access to Control-M/Agent ports
🔍 How to Verify
Check if Vulnerable:
Check if mutual SSL/TLS authentication is configured between Control-M Server and Agent. If using default configuration without SSL/TLS, system is vulnerable.Check Version:
Check Control-M version using vendor-specific commands or controlm/agent configuration filesVerify Fix Applied:
Verify SSL/TLS mutual authentication is properly configured and test that unauthorized connections are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated connection attempts to Control-M/Agent
- Unexpected process execution from Control-M/Agent
- File access/modification patterns outside normal operations
Network Indicators:
- Unencrypted traffic to Control-M/Agent ports
- Connections from unauthorized IP addresses to Control-M/Agent
SIEM Query:
source="controlm-agent" AND (event_type="connection" AND auth_status="failed") OR (process_execution="unexpected")