Primary

Context

BMC Control-M/Agent Improper IP Address Filtering Vulnerability

Vulnerability

Patched

A vulnerability exists in BMC Control-M/Agent for UNIX and Windows, specifically in versions through 9.0.20. The issue arises from an improper validation order of the AUTHORIZED_CTM_IP parameter. This parameter, not used by default, is only validated after the SSL/TLS handshake, which can expose the agent to certain vulnerabilities in the SSL/TLS implementation or potentially lead to resource exhaustion.

Impact

Exploitation of this vulnerability could allow for resource exhaustion or the introduction of vulnerabilities in the SSL/TLS implementation, under certain non-default conditions.

Remediation

Users are advised to upgrade to Control-M/Agent version 9.0.21 or 9.0.22. For those unable to upgrade immediately, it is recommended to implement network firewall rules that allow access to the Control-M/Agent's Server-to-Agent port only from authorized Control-M/Server machines.

Added: Sep 16, 2025, 3:14 PM

Updated: Sep 16, 2025, 3:14 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

7.0

remediation

7.9

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

7.0

remediation

7.9

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BMC Control-M/Agent Improper IP Address Filtering Vulnerability

Vulnerability

Impact

Remediation

Affected Products

BMC Control-M/Agent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating