CVE-2025-55113

CRITICAL 9.0

BMC Control-M/Agent unescaped NULL byte in access control list checks

CVSS Score

9.0

EPSS Score

0.0%

EPSS Percentile

0th

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.

CWE	CWE-158
Vendor	bmc
Product	control-m/agent
Published	Sep 16, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for bmc control-m/agent

Be the first to know when new critical vulnerabilities affecting bmc control-m/agent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

BMC / Control-M/Agent

9.0.22.000 9.0.21 9.0.20 9.0.19 9.0.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bmcapps.my.site.com: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 bmcapps.my.site.com: https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967

Credits

Airbus SAS - Jean-Romain Garnier - [email protected]