Hardcoded Debug User Credentials in BMC Control-M/MFT
CVE-2026-23781

Currently unrated

Key Information:

Vendor: BMC Software
Status: Control-M/MFT
Vendor: CVE Published:; 10 April 2026

🔔 Create BMC Software Vulnerability Alert

What is CVE-2026-23781?

An issue has been identified in the BMC Control-M/MFT versions 9.0.20 through 9.0.22, where a set of hardcoded debug user credentials are stored in cleartext within the application package. If these default credentials are not changed, they can be easily exploited, potentially granting unauthorized access to the MFT API debug interface. This poses a significant risk to the security of the application and its data.

References

https://www.bmc.com/support/resources/issue-defect-manage...

https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestrati...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23781 Data

JSON