CVE-2025-55113 – This vulnerability allows attackers to bypass A... (How to Fix)

Q: What is the severity of CVE-2025-55113?

CVE-2025-55113 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows attackers to bypass Access Control Lists in Control-M/Agent by using specially crafted client certificates with NULL bytes in email addresses. Affected systems include Control-M/Agent versions 9.0.18 to 9.0.20 (default vulnerable) and potentially earlier unsupported versions, with newer versions vulnerable only when specific C router configuration is enabled.

📋 TL;DR

This vulnerability allows attackers to bypass Access Control Lists in Control-M/Agent by using specially crafted client certificates with NULL bytes in email addresses. Affected systems include Control-M/Agent versions 9.0.18 to 9.0.20 (default vulnerable) and potentially earlier unsupported versions, with newer versions vulnerable only when specific C router configuration is enabled.

💻 Affected Systems

Products:

BMC Control-M/Agent

Versions: 9.0.18 to 9.0.20 (default vulnerable), potentially earlier unsupported versions, newer versions with specific configuration

Operating Systems: All supported Control-M platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default in unsupported versions 9.0.18-9.0.20. In newer supported versions, vulnerability exists only when C router is configured via JAVA_AR setting (non-default).

📦 What is this software?

Control M\/agent by Bmc

View all CVEs affecting Control M\/agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete ACL bypass allowing unauthorized access to sensitive job management systems, potentially leading to job manipulation, data exfiltration, or system compromise.

🟠

Likely Case

Unauthorized users gain access to Control-M/Agent management functions they should be restricted from, enabling job execution, modification, or monitoring.

🟢

If Mitigated

Limited impact with proper network segmentation and certificate validation controls in place.

🌐 Internet-Facing: HIGH if Control-M/Agent is exposed to untrusted networks, as certificate-based authentication bypass could allow external attackers access.

🏢 Internal Only: MEDIUM for internal networks, requiring attacker to obtain or forge client certificates but still posing significant risk to job management systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to obtain or create specially crafted client certificates with NULL bytes in email address fields. Certificate management and validation bypass required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check BMC advisories for specific patched versions

Vendor Advisory: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967

Restart Required: Yes

Instructions:

1. Review BMC advisory 000441967 for patched versions. 2. Apply the recommended patch for your Control-M/Agent version. 3. Restart Control-M/Agent services. 4. Verify ACL enforcement works correctly.

🔧 Temporary Workarounds

Disable C router configuration

all

Remove or modify JAVA_AR setting to disable C router functionality in newer versions

Review JAVA_AR environment variable and remove C router configuration

Upgrade unsupported versions

all

Upgrade from vulnerable unsupported versions (9.0.18-9.0.20) to supported versions

Follow BMC upgrade procedures for Control-M/Agent

🧯 If You Can't Patch

Implement strict network segmentation to isolate Control-M/Agent from untrusted networks
Enhance certificate validation with additional checks for NULL bytes in certificate fields

🔍 How to Verify

Check if Vulnerable:

Check Control-M/Agent version and JAVA_AR configuration for C router usage. Versions 9.0.18-9.0.20 are vulnerable by default.

Check Version:

Check Control-M/Agent version through Control-M Enterprise Manager or agent configuration files

Verify Fix Applied:

Test ACL enforcement with certificates containing NULL bytes in email addresses after patch application.

📡 Detection & Monitoring

Log Indicators:

Failed ACL checks followed by successful authentication with unusual certificate patterns
Authentication attempts with certificates containing special characters

Network Indicators:

Unexpected connections to Control-M/Agent management ports from unauthorized sources

SIEM Query:

Search for Control-M authentication events where certificate validation succeeded despite ACL restrictions

📊 Metadata

CVE ID: CVE-2025-55113

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-158

EPSS Score: 0.03% exploit probability (7.8th percentile)

Published: September 16, 2025

Last Updated: October 10, 2025

🔗 References

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967 Mitigation,Vendor Advisory
https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55113, you might also want to check these: