THE content discusses a critical vulnerability in BMC Control-M/Server, identified as CVE-2026-10539. Scoring 9.5 on the CVSSv4 scale, this flaw allows unauthenticated remote command injection, posing a significant risk as it can lead to server takeover and exposure of sensitive data in hybrid environments. The vulnerability is caused by inadequate input handling, classified under CWE-305.
Although no exploitation has been reported, swift action is advised; administrators should update to version 9.0.21.300 or higher to address the issue. Affected versions include 9.0.20.x to 9.0.21.200. In the meantime, network access to the Control-M server communication port should be restricted, and monitoring for unusual activities is recommended.