Command Injection Vulnerability in Control-M/Server by BMC Software
CVE-2026-10539
9.5CRITICAL
What is CVE-2026-10539?
A security flaw exists in Control-M/Server due to insufficient filtering and sanitization of user-supplied input in communication commands. This vulnerability can enable attackers without authentication to execute unauthorized commands, which poses a risk of server compromise. Affected versions include Control-M/Server 9.0.20.x to 9.0.21.200, along with potential earlier unsupported versions.
Affected Version(s)
Control-M/Server 9.0.21.300
Control-M/Server 9.0.20 <= 9.0.21.200
Control-M/Server 9.0.21.300
References
CVSS V4
Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com>
