CVE-2025-55112 – CVE-2025-55112 allows attackers to decrypt netw... (How to Fix)

Q: What is the severity of CVE-2025-55112?

CVE-2025-55112 has a CVSS score of 7.4 (HIGH). CVE-2025-55112 allows attackers to decrypt network traffic between Control-M/Agent and Server when Blowfish encryption is configured, due to a hardcoded cryptographic key. This affects organizations using out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) with non-default Blowfish configuration.

📋 TL;DR

CVE-2025-55112 allows attackers to decrypt network traffic between Control-M/Agent and Server when Blowfish encryption is configured, due to a hardcoded cryptographic key. This affects organizations using out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) with non-default Blowfish configuration.

💻 Affected Systems

Products:

BMC Control-M/Agent

Versions: 9.0.18 to 9.0.20 (and potentially earlier unsupported versions)

Operating Systems: All supported platforms for Control-M

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured to use the non-default Blowfish cryptography algorithm. Default configuration uses stronger encryption.

📦 What is this software?

Control M\/agent by Bmc

View all CVEs affecting Control M\/agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive job data, credentials, and business logic transmitted between Control-M components, potentially enabling lateral movement within the environment.

🟠

Likely Case

Exfiltration of job execution details, configuration data, and potentially credentials from intercepted network traffic.

🟢

If Mitigated

Limited impact if Blowfish is not used or network segmentation prevents traffic interception.

🌐 Internet-Facing: MEDIUM - Only relevant if Control-M components are internet-facing and using vulnerable configuration.

🏢 Internal Only: HIGH - Internal attackers or compromised systems could intercept and decrypt sensitive automation traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access to intercept traffic and knowledge of the hardcoded key. No authentication bypass needed for decryption once traffic is captured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A - Affected versions are out of support

Vendor Advisory: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441966

Restart Required: Yes

Instructions:

1. Upgrade to supported Control-M versions (9.0.21+ or current supported release). 2. If upgrade not possible, switch encryption algorithm from Blowfish to AES. 3. Restart Control-M/Agent services.

🔧 Temporary Workarounds

Disable Blowfish Encryption

all

Change encryption algorithm from Blowfish to AES in Control-M configuration

Edit Control-M configuration files to set encryption_algorithm=AES
Restart Control-M/Agent service

Network Segmentation

all

Isolate Control-M traffic to prevent interception

Implement VLAN segmentation
Use IPSec tunnels between Control-M components

🧯 If You Can't Patch

Immediately switch from Blowfish to AES encryption algorithm
Implement strict network segmentation and monitor for traffic interception attempts

🔍 How to Verify

Check if Vulnerable:

Check Control-M/Agent configuration files for encryption_algorithm=Blowfish setting and verify version is 9.0.18-9.0.20

Check Version:

ctmagent -version or check agent version in Control-M/Enterprise Manager

Verify Fix Applied:

Confirm encryption_algorithm is set to AES (not Blowfish) and version is upgraded to 9.0.21+

📡 Detection & Monitoring

Log Indicators:

Configuration changes to encryption settings
Unexpected network connections to Control-M ports

Network Indicators:

Unencrypted or weakly encrypted traffic on Control-M ports (default 7005-7006)
Network sniffing tools on Control-M network segments

SIEM Query:

source="control-m" AND (event="configuration_change" OR "encryption_algorithm") OR dest_port IN (7005, 7006) AND protocol="TCP"

📊 Metadata

CVE ID: CVE-2025-55112

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-321

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: September 16, 2025

Last Updated: October 10, 2025

🔗 References

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441966 Vendor Advisory
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55112, you might also want to check these: