CVE-2025-55109 – An authentication bypass vulnerability in Contr... (How to Fix)

Q: What is the severity of CVE-2025-55109?

CVE-2025-55109 has a CVSS score of 9.0 (CRITICAL). An authentication bypass vulnerability in Control-M/Agent allows remote attackers to authenticate using expired demo or third-party certificates instead of organization-signed certificates when default keystores are used. This affects out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.

📋 TL;DR

An authentication bypass vulnerability in Control-M/Agent allows remote attackers to authenticate using expired demo or third-party certificates instead of organization-signed certificates when default keystores are used. This affects out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.

💻 Affected Systems

Products:

Control-M/Agent

Versions: 9.0.18 to 9.0.20 and potentially earlier unsupported versions

Operating Systems: All supported OS for Control-M/Agent

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects out-of-support versions. Vulnerability requires using empty/default kdb keystore or default PKCS#12 keystore with trusted third-party certificates.

📦 What is this software?

Control M\/agent by Bmc

View all CVEs affecting Control M\/agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Control-M/Agent allowing unauthorized job execution, data access, and potential lateral movement within the environment.

🟠

Likely Case

Unauthorized access to Control-M/Agent for job manipulation, data exfiltration, or privilege escalation within the automation environment.

🟢

If Mitigated

Limited impact if proper certificate management and network segmentation are implemented, restricting access to authorized certificates only.

🌐 Internet-Facing: HIGH if exposed to internet with default keystores, as attackers can use publicly available demo certificates.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and certificate management practices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to signed third-party or demo certificates and network access to Control-M/Agent. The hardcoded certificates are expired but may still be accepted in some configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A - versions are out-of-support

Vendor Advisory: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441963

Restart Required: Yes

Instructions:

1. Upgrade to supported Control-M/Agent version (9.0.21 or later). 2. Replace default keystores with organization-specific keystores. 3. Remove trusted third-party certificates from keystores. 4. Restart Control-M/Agent services.

🔧 Temporary Workarounds

Replace Default Keystores

all

Replace empty/default kdb and PKCS#12 keystores with organization-specific keystores containing only trusted organization certificates.

# Replace keystore files in Control-M/Agent installation directory
# Location varies by OS and installation method

Remove Third-Party Certificates

all

Remove all third-party and demo certificates from keystores, leaving only organization-signed certificates.

# Use keytool or openssl to manage keystore contents
# keytool -delete -alias <cert-alias> -keystore <keystore-file>

🧯 If You Can't Patch

Implement strict network segmentation to isolate Control-M/Agent from untrusted networks
Deploy certificate pinning or client certificate validation at network perimeter devices

🔍 How to Verify

Check if Vulnerable:

Check Control-M/Agent version and keystore configuration. Verify if using default/empty keystores or if keystores contain third-party/demo certificates.

Check Version:

# On Control-M/Agent host: ctmagent -v or check installation directory version files

Verify Fix Applied:

Verify keystores contain only organization-signed certificates and no third-party/demo certificates. Test authentication with organization certificates only.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts using non-organization certificates
Failed certificate validation for expected organization CAs
Unexpected successful authentications

Network Indicators:

SSL/TLS connections using demo or third-party certificates to Control-M/Agent ports
Unusual authentication patterns

SIEM Query:

source="control-m" AND (certificate_validation="failed" OR certificate_issuer="demo" OR certificate_issuer="third-party")

📊 Metadata

CVE ID: CVE-2025-55109

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-295

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: September 16, 2025

Last Updated: October 10, 2025

🔗 References

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441963 Vendor Advisory
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55109, you might also want to check these: