CVE-2025-55108

CVE-2025-55108 affects the Control-M/Agent component from BMC Software, enabling unauthenticated remote code execution (RCE), arbitrary file read and write operations, and similar unauthorized actions. This vulnerability arises specifically when mutual SSL/TLS authentication is not enabled, which is the default configuration. It is classified under CWE-306 (Missing Authentication for Critical Function) with a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and comprehensive impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation allows attackers to execute arbitrary code on the affected Control-M/Agent host, read or write arbitrary files, and perform other unauthorized actions, potentially leading to full system compromise in environments where mutual TLS is disabled.

BMC advisories emphasize that the vulnerability only manifests when documented security best practices are ignored, as they have consistently recommended configuring SSL/TLS mutual authentication between the Control-M Server and Agent. Control-M/Agent deployments in Control-M SaaS are explicitly not impacted. Relevant mitigation details are available in BMC knowledge base articles at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962, https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099, and https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271.