CVE-2025-55113
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-10-10
Assigner: Airbus
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bmc | control-m\/agent | to 9.0.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in certain versions of Control-M/Agent where the Access Control List (ACL) enforcement stops verifying the email address in the client certificate at the first NULL byte. An attacker can exploit this by using a specially crafted certificate with a NULL byte in the email address, allowing them to bypass the configured ACLs and gain unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass access controls, potentially gaining unauthorized access to systems or data protected by the ACLs in Control-M/Agent. This can lead to compromise of confidentiality, integrity, and availability of the affected system.