CVE-2026-10539: Unauthenticated command injection in Control-M/Server communication command
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
Metrics
- CVSS v4.0
- 9.5
- Severity
- CRITICAL
- Fixed in
- 9.0.21.300
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated command injection vulnerability affects BMC Control-M/Server versions 9.0.20.x through 9.0.21.200. The flaw is reachable over the network and requires no credentials, meaning an attacker who can reach the server's communication interface can inject arbitrary operating-system commands directly. Successful exploitation gives an attacker full control of the affected server, including the ability to read, modify, or destroy data and disrupt scheduled job orchestration. A patched-image rebuild at version 9.0.21.300 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10539 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images that bundle Control-M/Server components. Any image found carrying an affected version (9.0.20.x through 9.0.21.200) is flagged immediately.
AvailableHarborGuard is capable of scoring this CVE at its full CVSS v4.0 rating of 9.5 (Critical) and weighting it against each environment's compliance policy to determine urgency and ownership. Triage results, including affected image references and recommended remediation steps, are routed to the appropriate team inbox within each customer organization based on configured policy rules.
AvailableA patched-image rebuild at Control-M/Server version 9.0.21.300 becomes available on HarborGuard the moment the fix version is resolvable against an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Control-M/Server communication interface over the network; internet-exposed or internally reachable deployments are in scope.
- AuthenticationNot required
No credentials of any kind are needed; the vulnerable command handler accepts unauthenticated input.
- Victim interactionNot required
Exploitation is fully automated and requires no action from any user or administrator on the target system.
- Attack complexityDetail
The exploit is generally reliable but depends on certain conditions being met in the target environment (CVSS AT:P), such as a specific server configuration or timing window, rather than being unconditionally exploitable.
Blast Radius
- The attacker executes arbitrary operating-system commands on the Control-M/Server host with the privileges of the server process.
- Confidential data held on the server, including job definitions, credentials, and integration secrets, is readable by the attacker.
- The attacker can modify or delete job schedules, output data, and configuration files persisted on the server.
- Downstream systems and workloads that Control-M/Server orchestrates are exposed to lateral movement, and the server process itself can be crashed or taken offline, halting scheduled automation.
How HarborGuard Handles This
Available on HarborGuard: detection of this critical command injection issue is active for all scanned images the moment the CVE is published, with no customer configuration required. For environments where images include Control-M/Server 9.0.20.x through 9.0.21.200, a rebuild against the fixed version 9.0.21.300 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with prioritized severity so that engineering teams can act immediately. Until patching is complete, network-policy controls that restrict access to the Control-M/Server communication port to known, trusted source addresses are a practical compensating control to reduce the attack surface.
Fix available
- BMC / Control-M/Server≤ 9.0.21.200Fixed in 9.0.21.300
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H