Hardcoded Key Vulnerability in Control-M/Agent by BMC Software
CVE-2025-55112

7.6HIGH

Key Information:

Vendor: Bmc
Status: Control-m/agent
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-55112?

Certain older versions of Control-M/Agent by BMC Software, specifically those configured to utilize the non-default Blowfish cryptography algorithm, are vulnerable due to the presence of a hardcoded encryption key. This vulnerability arises in Control-M/Agent versions 9.0.18 to 9.0.20, along with possibly earlier unsupported releases. An attacker who gains access to network traffic and knows this hardcoded key can decrypt sensitive communications between the Control-M/Agent and its associated server, posing a significant security risk. Users are encouraged to review their configurations and follow provided mitigation strategies to safeguard their environments.

Affected Version(s)

Control-M/Agent 9.0.21

Control-M/Agent 9.0.20

Control-M/Agent 9.0.19

References

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?...

vendor-advisory

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?...

mitigation

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Aug 7, 2025

Credit

Airbus SAS - Jean-Romain Garnier - [email protected]