CVE-2026-23781
Received Received - Intake
Hardcoded Credentials in BMC Control-M/MFT Enable Unauthorized Access

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: MITRE

Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23781
EUVD
EUVD-2026-21404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bmc control-m/managed_file_transfer From 9.0.20 (inc) to 9.0.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BMC Control-M/MFT versions 9.0.20 through 9.0.22. It involves a set of default debug user credentials that are hardcoded in cleartext within the application package. Because these credentials are embedded and not protected, if they are not changed by the user, an attacker can easily obtain them.

With these credentials, unauthorized users may gain access to the MFT API debug interface, which is intended for debugging purposes and not for general access.

Impact Analysis

If the default debug credentials are left unchanged, an attacker can use them to access the MFT API debug interface without authorization.

This unauthorized access could lead to potential exposure of sensitive information, manipulation of the system, or disruption of services that rely on the MFT API.

Compliance Impact

The vulnerability involves hardcoded default debug user credentials in cleartext, which if left unchanged, can allow unauthorized access to the MFT API debug interface.

Such unauthorized access risks exposing sensitive data or system controls, potentially leading to violations of data protection standards and regulations such as GDPR and HIPAA that require strict access controls and protection of personal and health information.

Therefore, this vulnerability could negatively impact compliance with these regulations if exploited, due to insufficient authentication and potential unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart