CVE-2026-10540
Received Received - Intake

Weak Password Hash Storage in Control-M/Enterprise Manager

Vulnerability report for CVE-2026-10540, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Airbus

Description

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially earlier unsupported versions

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bmc_software control-m_enterprise_manager to 9.0.20.x (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the Control-M/Enterprise Manager using weak protections for stored hashes of account passwords. Because of this weakness, if an attacker obtains the credential data, they could potentially perform offline password recovery attacks to retrieve the original passwords.

It affects unsupported versions 9.0.20.x and potentially earlier unsupported versions of Control-M/Enterprise Manager.

Impact Analysis

The impact of this vulnerability is that an attacker who gains access to the stored credential data could recover account passwords offline. This could lead to unauthorized access to accounts managed by Control-M/Enterprise Manager, potentially compromising system security and sensitive operations.

Detection Guidance

This vulnerability affects Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier unsupported versions. Detection involves identifying if your system is running these affected versions.

No specific commands or detailed detection methods are provided in the available resources.

Mitigation Strategies

The provided resources do not specify immediate mitigation steps for this vulnerability.

Compliance Impact

The vulnerability involves weak protections for stored password hashes in Control-M/Enterprise Manager, potentially allowing offline password recovery attacks if credential data is obtained by an attacker.

Such a weakness could impact compliance with standards and regulations like GDPR and HIPAA, which require adequate protection of sensitive data, including authentication credentials, to prevent unauthorized access and data breaches.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart