← back
CVE-2026-10539

Unauthenticated command injection in Control-M/Server communication command

CVSS 9.5 CRITICALEPSS 0.2%CWE-305
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
BMC · Control-M/Server