Hardcoded Debug User Credentials in BMC Control-M/MFT
CVE-2026-23781

9.8CRITICAL

Key Information:

Vendor: BMC Software
Status: Control-M/MFT
Vendor: CVE Published:; 10 April 2026

🔔 Create BMC Software Vulnerability Alert

What is CVE-2026-23781?

An issue has been identified in the BMC Control-M/MFT versions 9.0.20 through 9.0.22, where a set of hardcoded debug user credentials are stored in cleartext within the application package. If these default credentials are not changed, they can be easily exploited, potentially granting unauthorized access to the MFT API debug interface. This poses a significant risk to the security of the application and its data.

References

https://www.bmc.com/support/resources/issue-defect-manage...

https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestrati...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23781 Data

JSON