CVE-2026-23782
Unauthorized API Secret Disclosure in BMC Control-M/MFT 9.0.x
Publication date: 2026-04-10
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bmc | control-m/managed_file_transfer | From 9.0.20 (inc) to 9.0.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context does not include any information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in BMC Control-M/MFT versions 9.0.20 through 9.0.22. It involves an API management endpoint that allows unauthenticated users to obtain both an API identifier and its corresponding secret value.
With these exposed secrets, an attacker could invoke privileged API operations without authorization.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker who obtains the API identifier and secret can perform privileged API operations.
This could lead to unauthorized access to sensitive functions or data within the affected BMC Control-M/MFT system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22, it is recommended to apply the latest patches provided by BMC Software.
Specifically, installing Control-M/Server patch PACTV.9.0.21.308 or later addresses multiple issues including API vulnerabilities that could allow unauthorized access.
Ensure that prerequisites such as Control-M/Server 9.0.21.300 and earlier patches (PACTV.9.0.21.302, PACTV.9.0.21.305, PACTV.9.0.21.306, and for certain database platforms PACTV.9.0.21.307) are installed before applying this patch.
In High Availability environments, apply patches to both active and non-active hosts, and follow the recommended procedures to stop and verify the Control-M/Server Configuration Agent to avoid automatic failover during patching.
The patch installation involves shutting down Control-M/Server components, applying the patch, and restarting the components, which can be done interactively or silently.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an API management endpoint in BMC Control-M/MFT versions 9.0.20 through 9.0.22 that allows unauthenticated users to obtain API identifiers and secret values. Detection would involve monitoring for unauthorized access attempts to the API management endpoint or unusual API calls that could indicate exploitation.
Since the provided resources do not include specific detection commands or network signatures, a general approach would be to monitor network traffic for suspicious API requests to the management endpoint and review logs for unauthorized access patterns.
Additionally, applying the patch described in Resource 1 (Control-M/Server patch PACTV.9.0.21.308) is recommended to remediate vulnerabilities including API-related issues.