Primary

Context

BMC Control-M/MFT SQL Injection Vulnerability in Debug Interface Allowing Arbitrary File Operations and Potential Remote Code Execution

Vulnerability

A SQL injection vulnerability has been identified in the debug interface of the MFT API within BMC Control-M/MFT versions 9.0.20 through 9.0.22. This vulnerability allows authenticated attackers to inject malicious SQL queries due to inadequate input validation and unsafe dynamic SQL processing. Exploitation of this issue could enable unauthorized reading or writing of files and may lead to remote code execution.

Impact

Exploitation of this vulnerability could result in unauthorized file read/write operations and potentially allow for remote code execution.

Remediation

Users can upgrade to BMC Control-M/MFT patch PAAFP.9.0.22.025 to address this vulnerability. Instructions for installing this patch on both UNIX and Windows systems are available in the BMC Control-M documentation.

Added: Apr 10, 2026, 5:05 PM

Updated: Apr 10, 2026, 5:05 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

5.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

5.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BMC Control-M/MFT SQL Injection Vulnerability in Debug Interface Allowing Arbitrary File Operations and Potential Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating