Platform
other
Component
control-m/agent
Fixed in
9.0.20.100
9.0.20
9.0.19
CVE-2025-55115 describes a Path Traversal vulnerability discovered in the Control-M/Agent component. This flaw allows an attacker with access to the system running the Agent to potentially escalate their privileges. The vulnerability impacts Control-M/Agent versions 9.0.18 through 9.0.21, and potentially earlier unsupported versions. A fix is available in version 9.0.20.100 and later.
Successful exploitation of CVE-2025-55115 could allow an attacker to read arbitrary files on the system hosting the Control-M/Agent. This could include sensitive configuration files, credentials, or other data that could be used to further compromise the environment. The ability to escalate privileges means an attacker could gain control of the system, potentially leading to data breaches, system disruption, or further lateral movement within the network. The impact is particularly concerning given that the vulnerability affects out-of-support versions, suggesting a lack of ongoing security maintenance in some deployments.
CVE-2025-55115 was publicly disclosed on September 16, 2025. The vulnerability's severity is rated HIGH (CVSS 8.8). There are currently no publicly known proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog as of this date. Given the path traversal nature and the potential for privilege escalation, it is prudent to monitor for exploitation attempts.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-55115 is to upgrade the Control-M/Agent to version 9.0.20.100 or later. If an immediate upgrade is not feasible, consider restricting access to the Agent system to only authorized personnel. Review file system permissions to minimize the potential impact of a successful exploit. While a WAF or proxy is unlikely to directly mitigate this path traversal vulnerability, ensuring proper input validation and sanitization in any upstream applications interacting with the Agent can help reduce the attack surface. After upgrade, confirm the fix by attempting to access restricted files via the vulnerable endpoint and verifying that access is denied.
Actualice Control-M/Agent a la versión 9.0.20.100 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escalada de privilegios local. Consulte el artículo de la base de conocimientos de BMC para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55115 is a Path Traversal vulnerability in Control-M/Agent allowing attackers with system access to potentially escalate privileges. It affects versions 9.0.18–9.0.21.
You are affected if you are running Control-M/Agent versions 9.0.18 through 9.0.21, or potentially earlier unsupported versions. Check your version and upgrade if necessary.
Upgrade Control-M/Agent to version 9.0.20.100 or later to resolve the vulnerability. Restrict access to the Agent system as an interim measure.
As of September 16, 2025, there are no publicly known active exploitation campaigns for CVE-2025-55115, but monitoring is recommended.
Refer to the official Micro Focus security advisory for Control-M/Agent, which should be available on the Micro Focus support website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.