← All CVEs

CVE-2026-10539

CRITICAL 9.5

Published 2026-07-01 · Last modified 2026-07-01

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

ELEVATED IMPACT

Severe if exploited (CVSS 9.5), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 14th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.5CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: Specific conditions must be present

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Bmc

Products Control M/Server

Weakness (CWE)

  • CWE-305

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Sources: NVD · CVE.org · EPSS