CVE-2026-10538 PUBLISHED

Improper deserialization handling in Control-M Components

Assigner: airbus
Reserved: 01.06.2026 Published: 01.07.2026 Updated: 01.07.2026

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.9

Product Status

Vendor BMC
Product Control-M/Enterprise Manager
Versions Default: affected
  • Version 9.0.21 is unaffected
  • affected from 9.0.20 to 9.0.21 (excl.)
Vendor BMC
Product Control-M/Server
Versions Default: affected
  • Version 9.0.21 is unaffected
  • affected from 9.0.20 to 9.0.21 (excl.)

Credits

  • Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder
  • Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder

References

Problem Types

  • CWE-502 Deserialization of untrusted data CWE