Cyber Posture

CVE-2026-23780

High

Published: 10 April 2026

Published
10 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation…

more

can enable arbitrary file read/write operations and potentially lead to remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly addresses the improper input validation in the MFT API debug interface, preventing SQL injection attacks by validating all inputs.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of the identified SQL injection flaw through application of BMC-recommended patches.

CM-7 Least Functionality partial match
prevent

CM-7 reduces the attack surface by prohibiting or restricting access to unnecessary debug interfaces like the vulnerable MFT API endpoint.

Security SummaryAI

CVE-2026-23780 is a SQL injection vulnerability (CWE-89) discovered in BMC Control-M/MFT versions 9.0.20 through 9.0.22. The issue resides in the MFT API's debug interface, where improper input validation and unsafe dynamic SQL handling allow an authenticated attacker to inject malicious queries. Published on 2026-04-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). By injecting malicious SQL queries into the debug interface, the attacker can achieve arbitrary file read and write operations on the system, and exploitation may escalate to remote code execution, maintaining an unchanged scope (S:U).

BMC advisories recommend applying available patches for mitigation, such as Control-M-MFT-PAAFP-9-0-22-025 for version 9.0.22, detailed at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/. Additional issue and defect management resources are provided at https://www.bmc.com/support/resources/issue-defect-management.html.

Details

CWE(s)
CWE-89

Affected Products

bmc
control-m\/managed file transfer
9.0.20 — 9.0.22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

SQL injection in network-accessible API (T1190) enables arbitrary file reads (T1005) and potential RCE for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References