CVE-2025-55108 is a critical security vulnerability identified in BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The vulnerability stems from missing authentication for critical functions (CWE-306), specifically when mutual SSL/TLS authentication between Control-M Server and Agent is not enabled. By default, the Control-M/Agent does not enforce mutual authentication, allowing unauthenticated remote attackers to perform remote code execution, arbitrary file read and write operations, and other unauthorized actions. This vulnerability arises because the agent accepts commands and data from the server without verifying the server's identity, enabling attackers to impersonate the server and execute malicious commands remotely. The vendor has clarified that this vulnerability is contingent on insecure configuration, as enabling mutual SSL/TLS authentication effectively mitigates the risk. Control-M SaaS deployments are unaffected due to their managed security posture. The CVSS 4.0 score of 9.5 indicates critical severity, with network attack vector, low attack complexity, no user interaction, and no privileges required. The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. Although no exploits have been reported in the wild yet, the ease of exploitation and critical impact make this a high-priority issue for affected organizations. The vulnerability highlights the importance of following security best practices and proper configuration management in enterprise batch processing environments.

For European organizations, the impact of CVE-2025-55108 can be severe, particularly in industries that rely heavily on BMC Control-M for batch job scheduling and automation, such as finance, telecommunications, manufacturing, and public sector entities. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to compromise critical systems, manipulate or exfiltrate sensitive data, disrupt automated workflows, and potentially cause widespread operational outages. The ability to read and write arbitrary files further increases the risk of data breaches and system integrity violations. Given the default configuration does not enable mutual SSL/TLS authentication, many deployments may be vulnerable if security best practices are not strictly enforced. This vulnerability could facilitate lateral movement within networks, leading to broader compromise. The absence of known exploits in the wild provides a window for remediation, but the critical nature demands immediate attention to prevent potential targeted attacks. The impact on confidentiality, integrity, and availability is high, potentially affecting business continuity and regulatory compliance under GDPR and other European data protection laws.

European organizations should immediately audit their Control-M/Agent deployments to verify whether mutual SSL/TLS authentication is enabled between Control-M Server and Agent. If not enabled, they must configure and enforce mutual TLS authentication as per BMC's documented security best practices to prevent unauthorized access. Network segmentation should be applied to restrict Control-M/Agent communication to trusted hosts only. Monitoring and logging of Control-M traffic should be enhanced to detect anomalous activities indicative of exploitation attempts. Organizations should also ensure that all Control-M/Agent instances are updated to the latest supported versions and apply any vendor patches or security advisories as they become available. Implementing strict access controls and using network-level protections such as firewalls and intrusion detection/prevention systems can further reduce exposure. Additionally, conducting regular security assessments and penetration tests focusing on Control-M infrastructure will help identify misconfigurations or vulnerabilities proactively. Finally, organizations should prepare incident response plans specific to Control-M compromise scenarios.