CVE-2026-23781: Hardcoded Credentials in BMC Control-M/MFT
Platform
other
Component
bmc-control-m-mft
Fixed in
9.0.22-025
CVE-2026-23781 is a critical vulnerability affecting BMC Control-M/MFT versions 9.0.20 through 9.0.22. The vulnerability stems from the hardcoding of default debug user credentials in cleartext within the application package. This allows attackers with access to the application package to easily obtain these credentials and potentially gain unauthorized access to the MFT API debug interface. A fix is available in version 9.0.22-025.
Impact and Attack Scenarios
The presence of hardcoded credentials in cleartext represents a severe security risk. An attacker who gains access to the Control-M/MFT application package can extract these credentials and leverage them to access the MFT API debug interface. This interface likely provides access to sensitive data, configuration settings, and potentially even the ability to execute commands within the Control-M/MFT environment. Successful exploitation could lead to data breaches, unauthorized modifications to file transfer configurations, and potentially even complete system compromise. The cleartext nature of the credentials makes this vulnerability particularly concerning, as it requires minimal effort to exploit.
Exploitation Context
CVE-2026-23781 is currently not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Public proof-of-concept (POC) code is not yet available, but the ease of exploitation due to the hardcoded credentials makes it a likely target for opportunistic attackers. The vulnerability was published on 2026-04-10, so active campaigns are possible but unconfirmed.
Threat Intelligence
Exploit Status
EPSS
0.07% (20% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-23781 is to immediately upgrade BMC Control-M/MFT to version 9.0.22-025 or later. Prior to upgrading, it is highly recommended to review and back up your existing Control-M/MFT configuration. If an immediate upgrade is not feasible, consider restricting access to the Control-M/MFT application package to only authorized personnel. While not a complete solution, this can reduce the attack surface. Regularly scan your environment for unauthorized access attempts to the MFT API debug interface. After upgrading, confirm the vulnerability is resolved by attempting to access the debug interface with the default credentials – access should be denied.
How to fix
Actualice BMC Control-M/MFT a la versión 9.0.22-025 o posterior para mitigar este riesgo. Verifique que las credenciales de depuración predeterminadas hayan sido cambiadas o eliminadas después de la instalación inicial. Consulte la documentación de BMC para obtener instrucciones detalladas sobre cómo aplicar el parche y gestionar las credenciales de depuración.
Frequently asked questions
What is CVE-2026-23781 — Hardcoded Credentials in BMC Control-M/MFT?
CVE-2026-23781 affects BMC Control-M/MFT versions 9.0.20 through 9.0.22. It involves default debug user credentials hardcoded in cleartext, allowing unauthorized API access.
Am I affected by CVE-2026-23781 in BMC Control-M/MFT?
If you are running BMC Control-M/MFT version 9.0.20, 9.0.21, or 9.0.22, you are potentially affected by this vulnerability. Check your version immediately.
How do I fix CVE-2026-23781 in BMC Control-M/MFT?
Upgrade to BMC Control-M/MFT version 9.0.22-025 or later to resolve the vulnerability. Back up your configuration before upgrading.
Is CVE-2026-23781 being actively exploited?
While no active campaigns have been confirmed, the ease of exploitation makes it a potential target. Monitor your systems closely.
Where can I find the official BMC advisory for CVE-2026-23781?
Refer to the BMC Support website for the official advisory and detailed information regarding this vulnerability.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...