CVE-2026-23780
SQL Injection in BMC Control-M/MFT API Enables Remote Code Execution
Publication date: 2026-04-10
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bmc | control-m/managed_file_transfer | From 9.0.20 (inc) to 9.0.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BMC Control-M/MFT versions 9.0.20 through 9.0.22. It is a SQL injection flaw found in the MFT API's debug interface. Because the input validation is improper and dynamic SQL is handled unsafely, an authenticated attacker can inject malicious SQL queries.
Exploiting this vulnerability can allow the attacker to perform arbitrary file read and write operations, and potentially execute remote code on the affected system.
How can this vulnerability impact me? :
If exploited, this vulnerability can have serious impacts including unauthorized access to files, modification or deletion of critical data, and potentially full remote code execution on the affected system.
Such impacts could lead to system compromise, data breaches, disruption of services, and loss of data integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22, you should apply the Control-M MFT patch PAAFP.9.0.22.025 or a later version as soon as possible.
The patch addresses multiple security issues including injection vulnerabilities and file permission bypasses.
Installation instructions include:
- For UNIX systems: Verify Control-M MFT 9.0.22.000 or higher is installed, stop Control-M/Agent using 'shut-ag', run the appropriate installer binary, then restart Control-M/Agent with 'start-ag'.
- For Windows systems: Verify Control-M MFT 9.0.22.000 or higher is installed, stop Control-M/Agent service and the 'p_ctmam.exe' process, stop the Control-M MFT container, run the patch executable as Administrator if UAC is enabled, then restart Control-M/Agent service.
Applying this patch is critical to address the vulnerability and improve overall security and reliability of the Control-M MFT environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22 involves a SQL injection in the MFT API's debug interface that can lead to arbitrary file read/write operations and potentially remote code execution. Such security weaknesses can compromise the confidentiality, integrity, and availability of sensitive data handled by the system.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, exploitation of this vulnerability could lead to unauthorized access or manipulation of sensitive data, which would likely violate data protection requirements and security controls mandated by these regulations.
Therefore, organizations using affected versions without applying patches may face increased risk of non-compliance with common data protection and security standards due to potential data breaches or unauthorized data manipulation.