Primary

Context

BMC Control-M/Server Cleartext Database Credentials Exposure Vulnerability

Vulnerability

Patched

A vulnerability exists in BMC Control-M/Server version 9.0.21.300, where database credentials are exposed in cleartext within process lists and logs. This issue allows an authenticated attacker with shell access to view these credentials and potentially use them to access the database server. The vulnerability arises because Control-M/Server, when connected to a database, frequently executes a utility that includes sensitive connection details such as the username, password, database hostname, and port in cleartext. This information can be found in event and process logs in two separate locations.

Impact

Exploitation of this vulnerability could lead to unauthorized database access using the exposed credentials.

Remediation

Users can upgrade to BMC Control-M/Server version PACTV.9.0.21.307 to address this vulnerability. Instructions for installing this patch on both Linux and Windows are available in the BMC Control-M documentation.

Added: Aug 7, 2025, 8:17 PM

Updated: Jan 13, 2026, 11:57 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.0

exploitability

3.5

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.0

exploitability

3.5

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BMC Control-M/Server Cleartext Database Credentials Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

BMC Control-M/Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating