Deserialization Vulnerability in Control-M/Server and Control-M/Enterprise Manager by BMC Software
CVE-2026-10538

8.9HIGH

Key Information:

Vendor

Bmc

Vendor
CVE Published:
1 July 2026

What is CVE-2026-10538?

The messaging consumer functionality in outdated versions of Control-M/Server and Control-M/Enterprise Manager permits the deserialization of user-controlled data with inadequate restrictions on acceptable object types. This vulnerability enables authenticated attackers to exploit the system by sending crafted serialized data, potentially leading to unauthorized behavior on the server-side and compromising the integrity of the affected system.

Affected Version(s)

Control-M/Enterprise Manager 9.0.21

Control-M/Enterprise Manager 9.0.20 < 9.0.21

Control-M/Server 9.0.21

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
.