CVE-2026-10539
Received Received - Intake

Control-M Server Command Injection Vulnerability

Vulnerability report for CVE-2026-10539, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Airbus

Description

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.Β  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bmc_software control-m_server From 9.0.20.x (inc) to 9.0.21.200 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Control-M/Server communication commands that do not properly filter or sanitize user-supplied input.

Under certain conditions, this flaw allows an unauthenticated attacker to execute unauthorized commands on the affected server.

This can potentially lead to the compromise of the server.

Impact Analysis

An attacker exploiting this vulnerability can remotely execute unauthorized commands on the Control-M/Server without authentication.

This can lead to a full compromise of the affected server, potentially allowing the attacker to control or disrupt server operations.

Compliance Impact

The vulnerability allows an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.

Such a compromise could result in unauthorized access to sensitive data or disruption of services, which may impact compliance with common standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart