CVE-2026-23781: Hardcoded Credentials in BMC Control-M/MFT

The presence of hardcoded default credentials in BMC Control-M/MFT represents a critical security weakness. An attacker who discovers these credentials can immediately gain access to the MFT API debug interface without needing to exploit any other vulnerabilities. This access can be leveraged to perform a variety of malicious actions, including inspecting sensitive data, modifying system configurations, and potentially even executing arbitrary code. The ease of exploitation makes this vulnerability particularly concerning, as it bypasses many common security controls. The impact is amplified if the debug interface provides access to sensitive data or critical system functions. This vulnerability is akin to leaving the back door to a building unlocked – anyone can walk in.

1. Veröffentlicht2026-04-10
2. Geändert2026-04-14
3. EPSS aktualisiert2026-04-18

The primary mitigation for CVE-2026-23781 is to upgrade BMC Control-M/MFT to version 9.0.22-025 or later. Crucially, after installation, immediately change the default debug user credentials to strong, unique passwords. If upgrading is not immediately possible, consider disabling the debug interface entirely if it is not actively required. Implement strict access controls to limit who can access the debug interface, even after changing the credentials. Regularly audit user accounts and permissions to ensure that only authorized personnel have access. After upgrading and changing credentials, verify access restrictions by attempting to log in with the default credentials and confirming that access is denied.