Introduction
Unauthenticated attackers can remotely execute code, read or write arbitrary files, and perform unauthorized actions on BMC Control-M Agent installations if mutual SSL/TLS authentication is not enabled. This vulnerability, tracked as CVE-2025-55108, affects default deployments and exposes critical automation infrastructure to complete compromise. BMC Control-M is a widely used workload automation platform in enterprise environments, orchestrating business-critical processes across industries. Its Agent component is deployed globally in thousands of organizations, making the impact of this vulnerability significant for IT operations and security teams.
Technical Information
CVE-2025-55108 is a missing authentication vulnerability (CWE-306) in the BMC Control-M Agent, specifically when mutual SSL/TLS authentication is not configured. In the default configuration, Control-M Agent does not enforce SSL/TLS or require mutual authentication for communications with the Control-M Server. This allows any network-accessible attacker to interact with the Agent and perform privileged operations without authentication.
Mechanism:
- The Agent listens for commands from the Control-M Server. Without SSL/TLS and mutual authentication (Security Level 4), the Agent accepts and processes requests from any source.
- Attackers can send crafted protocol messages directly to the Agent's listening port (commonly 7005) to trigger arbitrary file read, write, or remote code execution with the privileges of the Agent process.
- The vulnerability is present in all default installations unless administrators have explicitly configured SSL/TLS with mutual authentication and deployed proper certificates.
Root Cause:
- The default configuration does not require authentication for critical functions between Control-M Server and Agent.
- The vulnerability is not due to a software bug but a design choice prioritizing ease of deployment over security by default.
No public code snippets or PoC are available at this time.
Patch Information
BMC Software has released patches to address multiple vulnerabilities identified in Control-M Agent versions 9.0.20.200 and earlier. These vulnerabilities, assigned CVE identifiers CVE-2025-55108 through CVE-2025-55118, encompass issues such as privilege escalation, information disclosure, and remote code execution.
To mitigate these vulnerabilities, BMC has provided updated versions of the Control-M Agent. Users are strongly advised to upgrade to version 9.0.20.201 or later. The patches include comprehensive fixes that address the identified security flaws, ensuring enhanced protection against potential exploits.
For detailed instructions on applying the patches, users should refer to the official BMC documentation available on their community portal. This documentation provides step-by-step guidance on the upgrade process, including pre-installation requirements, backup procedures, and post-installation verification steps.
It's crucial to follow the recommended upgrade procedures to ensure the integrity and security of your Control-M Agent installations. Regularly updating software and applying security patches promptly is a fundamental practice in maintaining a secure IT environment.
Patch reference: BMC Community Advisory
Affected Systems and Versions
- Product: BMC Control-M Agent
- Affected versions: 9.0.20.200 and earlier
- Vulnerable configurations: Default installations where mutual SSL/TLS authentication (Security Level 4) is not enabled between Control-M Server and Agent
Vendor Security History
BMC Software has previously addressed authentication and privilege escalation vulnerabilities in Control-M Agent and related products. The vendor has a history of releasing security advisories and patches in response to reported issues. For this vulnerability, BMC provided coordinated disclosure and detailed upgrade guidance. However, the default insecure configuration has been a recurring theme in several prior advisories, highlighting the importance of following recommended security best practices during deployment.
