CVE-2026-23780
Received Received - Intake
SQL Injection in BMC Control-M/MFT API Enables Remote Code Execution

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: MITRE

Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23780
EUVD
EUVD-2026-21370
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bmc control-m/managed_file_transfer From 9.0.20 (inc) to 9.0.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BMC Control-M/MFT versions 9.0.20 through 9.0.22. It is a SQL injection flaw found in the MFT API's debug interface. Because the input validation is improper and dynamic SQL is handled unsafely, an authenticated attacker can inject malicious SQL queries.

Exploiting this vulnerability can allow the attacker to perform arbitrary file read and write operations, and potentially execute remote code on the affected system.

Impact Analysis

If exploited, this vulnerability can have serious impacts including unauthorized access to files, modification or deletion of critical data, and potentially full remote code execution on the affected system.

Such impacts could lead to system compromise, data breaches, disruption of services, and loss of data integrity.

Mitigation Strategies

To mitigate the SQL injection vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22, you should apply the Control-M MFT patch PAAFP.9.0.22.025 or a later version as soon as possible.

The patch addresses multiple security issues including injection vulnerabilities and file permission bypasses.

Installation instructions include:

  • For UNIX systems: Verify Control-M MFT 9.0.22.000 or higher is installed, stop Control-M/Agent using 'shut-ag', run the appropriate installer binary, then restart Control-M/Agent with 'start-ag'.
  • For Windows systems: Verify Control-M MFT 9.0.22.000 or higher is installed, stop Control-M/Agent service and the 'p_ctmam.exe' process, stop the Control-M MFT container, run the patch executable as Administrator if UAC is enabled, then restart Control-M/Agent service.

Applying this patch is critical to address the vulnerability and improve overall security and reliability of the Control-M MFT environment.

Compliance Impact

The vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22 involves a SQL injection in the MFT API's debug interface that can lead to arbitrary file read/write operations and potentially remote code execution. Such security weaknesses can compromise the confidentiality, integrity, and availability of sensitive data handled by the system.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, exploitation of this vulnerability could lead to unauthorized access or manipulation of sensitive data, which would likely violate data protection requirements and security controls mandated by these regulations.

Therefore, organizations using affected versions without applying patches may face increased risk of non-compliance with common data protection and security standards due to potential data breaches or unauthorized data manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart