Command Injection Vulnerability in Control-M/Server by BMC Software
CVE-2026-10539

9.5CRITICAL

Key Information:

Vendor

Bmc

Vendor
CVE Published:
1 July 2026

What is CVE-2026-10539?

A security flaw exists in Control-M/Server due to insufficient filtering and sanitization of user-supplied input in communication commands. This vulnerability can enable attackers without authentication to execute unauthorized commands, which poses a risk of server compromise. Affected versions include Control-M/Server 9.0.20.x to 9.0.21.200, along with potential earlier unsupported versions.

Affected Version(s)

Control-M/Server 9.0.21.300

Control-M/Server 9.0.20 <= 9.0.21.200

Control-M/Server 9.0.21.300

References

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
.