プラットフォーム
other
コンポーネント
control-m/agent
修正版
9.0.23
9.0.22
9.0.21
9.0.20
9.0.19
CVE-2025-55108 represents a critical Remote Code Execution (RCE) vulnerability affecting the Control-M/Agent component. This flaw allows unauthorized actors to execute arbitrary code, read, and write files on the system, effectively compromising the agent's security. The vulnerability impacts versions 9.0.18 through 9.0.22, but is not present in Control-M SaaS. The vendor emphasizes that this issue arises from a failure to implement recommended security best practices.
The impact of CVE-2025-55108 is severe due to the unauthenticated nature of the RCE. An attacker, without requiring any credentials, can exploit this vulnerability to gain complete control over the affected Control-M/Agent. This could involve executing malicious commands, stealing sensitive data stored on the system, or modifying system configurations. Successful exploitation could lead to lateral movement within the network if the agent has access to other systems or resources. The blast radius extends to any data processed or managed by the Control-M system, potentially impacting critical business operations and sensitive information. The vendor notes that this vulnerability is a direct consequence of not following their recommended security practices, specifically the use of mutual SSL/TLS authentication.
CVE-2025-55108 was published on November 5, 2025. The EPSS score is currently pending evaluation, but the CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. The vendor's statement that the vulnerability arises from a failure to follow security best practices suggests that exploitation may be relatively straightforward for attackers familiar with Control-M. Public proof-of-concept (POC) code is currently unknown, but the severity and ease of exploitation could lead to the development and release of such tools. Refer to the NVD and CISA advisories for updates as they become available.
エクスプロイト状況
EPSS
0.50% (66% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-55108 is to enable mutual SSL/TLS authentication between the Control-M Server and Agent. This requires configuring both the server and agent to verify each other's identities using certificates, preventing unauthorized connections. If immediate patching is not feasible, consider implementing strict network segmentation to isolate the Control-M/Agent from other critical systems. Web Application Firewall (WAF) rules can be configured to block suspicious traffic patterns associated with RCE attempts, although this is not a substitute for proper authentication. Monitor system logs for unusual activity or attempts to access files without proper authorization. After enabling mutual TLS authentication, verify the configuration by attempting to connect to the agent from an unauthorized source; the connection should be rejected.
Habilite la autenticación mutua SSL/TLS entre el servidor Control-M y el agente. Consulte la documentación de BMC para obtener instrucciones detalladas sobre cómo configurar SSL/TLS correctamente. Asegúrese de seguir las mejores prácticas de seguridad recomendadas por el proveedor.
脆弱性分析と重要アラートをメールでお届けします。
It's a critical Remote Code Execution (RCE) vulnerability in Control-M/Agent versions 9.0.18–9.0.22, allowing unauthorized code execution if mutual TLS isn't enabled.
If you are using Control-M/Agent versions 9.0.18 through 9.0.22 and have not enabled mutual SSL/TLS authentication, you are likely affected.
Enable mutual SSL/TLS authentication between the Control-M Server and Agent. Upgrade to a patched version when available.
Exploitation is possible given the high CVSS score and lack of authentication. Public POCs are currently unknown, but the risk is significant.
Refer to the National Vulnerability Database (NVD) and CISA advisories for updates and further information on CVE-2025-55108.