- CVE: CVE-2026-10539
- CVSS: 9.5 (Critical · CVSSv4)
- Product: BMC Control-M/Server
- Affected: 9.0.20
- Impact: Unauthenticated command injection in Control-M/Server communication command
- Status: No confirmed exploitation yet
- Patched in: 9.0.21.300
- EPSS: 0.2% (30-day)
- Action: Update to 9.0.21.300 now
TL;DR
BMC disclosed a critical flaw in Control-M/Server tracked as CVE-2026-10539. The Control-M command injection bug scores 9.5 on CVSSv4. It lets an unauthenticated attacker run commands on the server from afar.
Why It Matters
Control-M schedules jobs and moves files across hybrid enterprise environments. A compromised server therefore exposes sensitive workflows and connected cloud storage. This Control-M command injection flaw needs no login at all. As a result, exposed instances face a real risk of full server takeover. Attackers could also pivot into linked services such as Amazon S3, Azure, and SharePoint Online.
How the Attack Works
The root cause is poor input handling. A Control-M/Server communication command does not properly filter or sanitize user-supplied input. Under certain conditions, that gap enables unauthenticated remote command injection. BMC classifies the issue as CWE-305, an authentication bypass weakness. No working exploit details are public, and none appear here.
Exploitation Status
BMC has not reported any exploitation in the wild. Likewise, no public proof-of-concept has surfaced. Still, the high severity warrants fast action.
Affected Versions
The bug affects Control-M/Server for UNIX and Microsoft Windows. Vulnerable builds run 9.0.20.x through 9.0.21.200, inclusive. Earlier unsupported releases may also carry the flaw. Version 9.0.21.300 and later fix it.
Patch and Mitigation
Administrators should upgrade to 9.0.21.300 or higher without delay. That release removes the unauthenticated remote command injection path entirely. BMC provides full remediation steps in its official Control-M advisory. Until you patch, restrict network access to the Control-M/Server communication port. Additionally, watch the server for unexpected command activity and review recent job logs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.