securityonline.info 7/7/2026, 6:32:27 PM · external

Attackers can hijack servers via unauthenticated BMC Control M flaw

Attackers can hijack servers via unauthenticated BMC Control M flaw
CyberSIXT Evidence Panel
Primary Source bmcapps.my.site.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE content discusses a critical vulnerability in BMC Control-M/Server, identified as CVE-2026-10539. Scoring 9.5 on the CVSSv4 scale, this flaw allows unauthenticated remote command injection, posing a significant risk as it can lead to server takeover and exposure of sensitive data in hybrid environments. The vulnerability is caused by inadequate input handling, classified under CWE-305.

Although no exploitation has been reported, swift action is advised; administrators should update to version 9.0.21.300 or higher to address the issue. Affected versions include 9.0.20.x to 9.0.21.200. In the meantime, network access to the Control-M server communication port should be restricted, and monitoring for unusual activities is recommended.

View Primary Source Via securityonline.info

Article by CyberSIXT