Remote Memory Corruption Vulnerability in Control-M/Agent by BMC Software
CVE-2025-55118

8.4HIGH

Key Information:

Vendor: Bmc
Status: Control-m/agent
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-55118?

A vulnerability exists in BMC Software's Control-M/Agent, which facilitates remote memory corruption when SSL/TLS communication settings are misconfigured. Specifically, this occurs in Control-M/Agent version 9.0.20 if the setting 'use_openssl' is altered to 'n'. Furthermore, for versions 9.0.21 and 9.0.22, the combination of non-default settings 'JAVA_AR=N' and 'use_openssl=n' also opens the door to potential memory corruption. This flaw can be exploited remotely, posing a significant risk to system integrity and confidentiality.

Affected Version(s)

Control-M/Agent 9.0.22.000

Control-M/Agent 9.0.21

References

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?...

vendor-advisory

https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?...

mitigation

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Aug 7, 2025

Credit

Airbus SAS - Jean-Romain Garnier - [email protected]

Bmc

What is CVE-2025-55118?

Affected Version(s)

References

CVSS V4

Timeline

Credit