Threat Advisory

BMC Control-M/Server Command Injection Flaw Enables Unauthenticated Remote Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A critical flaw in BMC Control-M/Server tracked as CVE-2026-10539 allows unauthenticated remote command injection on the server via poor input handling during communication commands. This vulnerability affecting BMC Control-M/Server versions The bug affects Control-M/Server for UNIX and Microsoft Windows, with a CVSS score of 9.5, enables attackers to run commands from afar and potentially pivot into linked services such as Amazon S3, Azure, and SharePoint Online, exposing sensitive workflows and connected cloud storage. The flaw affects Control-M/Server for UNIX and Microsoft Windows, specifically vulnerable builds running version 9.0.20.x through 9.0.21.200, inclusive, while earlier unsupported releases may also carry the issue.

RECOMMENDATION:

We recommend you to update BMC Control-M/Server to version 9.0.21.300.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A critical flaw in BMC Control-M/Server tracked as CVE-2026-10539 allows unauthenticated remote command injection on the server via poor input handling during communication commands. This vulnerability affecting BMC Control-M/Server versions The bug affects Control-M/Server for UNIX and Microsoft Windows, with a CVSS score of 9.5, enables attackers to run commands from afar and potentially pivot into linked services such as Amazon S3, Azure, and SharePoint Online, exposing sensitive workflows and connected cloud storage. The flaw affects Control-M/Server for UNIX and Microsoft Windows, specifically vulnerable builds running version 9.0.20.x through 9.0.21.200, inclusive, while earlier unsupported releases may also carry the issue.

RECOMMENDATION:

We recommend you to update BMC Control-M/Server to version 9.0.21.300.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu