Deserialization Vulnerability in Control-M/Server and Control-M/Enterprise Manager by BMC Software
CVE-2026-10538
8.9HIGH
What is CVE-2026-10538?
The messaging consumer functionality in outdated versions of Control-M/Server and Control-M/Enterprise Manager permits the deserialization of user-controlled data with inadequate restrictions on acceptable object types. This vulnerability enables authenticated attackers to exploit the system by sending crafted serialized data, potentially leading to unauthorized behavior on the server-side and compromising the integrity of the affected system.
Affected Version(s)
Control-M/Enterprise Manager 9.0.21
Control-M/Enterprise Manager 9.0.20 < 9.0.21
Control-M/Server 9.0.21
References
CVSS V4
Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
