CVE-2025-55109
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-10-10
Assigner: Airbus
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bmc | control-m\/agent | to 9.0.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55109 is an authentication bypass vulnerability in out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier versions. It occurs when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker who has access to a signed third-party or demo certificate for client authentication can bypass the requirement for a certificate signed by the organization's certificate authority, allowing unauthorized authentication on the Control-M/Agent. [1]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to bypass authentication controls and gain unauthorized access to the Control-M/Agent system. This unauthorized access can lead to full compromise of confidentiality, integrity, and availability of the system, potentially allowing the attacker to execute malicious actions or disrupt operations. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Control-M/Agent to a version higher than 9.0.22, as versions 9.0.22 and lower are affected. Additionally, avoid using empty or default kdb keystores or default PKCS#12 keystores, and replace any default or demo certificates with certificates signed by your organization's certificate authority. [1]