CVE-2026-10539 PUBLISHED

Unauthenticated command injection in Control-M/Server communication command

Assigner: airbus
Reserved: 01.06.2026 Published: 01.07.2026 Updated: 01.07.2026

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. 

This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.5

Product Status

Vendor BMC
Product Control-M/Server
Versions Default: affected
  • Version 9.0.21.300 is unaffected
  • affected from 9.0.20 to 9.0.21.200 (incl.)

Credits

  • Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder
  • Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder

References

Problem Types

  • CWE-305 Authentication bypass by primary weakness CWE