CVE-2025-55108 identifies a critical security flaw in BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The vulnerability stems from missing authentication controls on critical functions within the agent, categorized under CWE-306 (Missing Authentication for Critical Function). In its default state, the Control-M/Agent does not enforce mutual SSL/TLS authentication between the Control-M Server and Agent, allowing remote attackers to perform unauthenticated actions including remote code execution and arbitrary file read/write operations. This lack of mutual authentication means that an attacker can connect to the agent and invoke privileged functions without credentials or user interaction. The vulnerability has a CVSS 4.0 base score of 9.5, indicating critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The vendor emphasizes that this vulnerability only manifests if documented security best practices are not followed, specifically the enabling of mutual SSL/TLS authentication. No patches are currently linked, and no exploits have been observed in the wild, but the risk remains high due to the ease of exploitation and potential impact. Control-M/Agent is widely used for workload automation in enterprise environments, making this vulnerability a significant threat if left unmitigated.

For European organizations, the impact of CVE-2025-55108 can be severe. Control-M/Agent is commonly deployed in critical IT infrastructure to automate batch jobs and workflows across various industries including finance, manufacturing, telecommunications, and government. Exploitation could lead to unauthorized execution of arbitrary code, potentially allowing attackers to compromise entire systems, exfiltrate sensitive data, or disrupt business operations. The ability to read and write arbitrary files without authentication further increases the risk of data breaches and system integrity violations. Given the critical nature of workload automation in maintaining operational continuity, successful exploitation could cause significant downtime and financial losses. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and breaches resulting from this vulnerability could lead to legal and reputational consequences. The lack of known exploits in the wild reduces immediate risk but does not diminish the urgency for mitigation, especially in high-value European sectors where Control-M is prevalent.

European organizations should immediately verify their Control-M/Agent configurations to ensure mutual SSL/TLS authentication is enabled between Control-M Server and Agent, as recommended by BMC. This involves generating and deploying proper certificates on both ends and enforcing strict TLS policies to prevent unauthenticated connections. Network segmentation should be applied to restrict access to Control-M/Agent ports only to trusted management systems. Monitoring and logging of Control-M/Agent communications should be enhanced to detect anomalous or unauthorized access attempts. Organizations should also review and apply any vendor patches or updates as they become available. Conducting regular security audits and penetration testing focused on Control-M infrastructure will help identify misconfigurations or residual vulnerabilities. Finally, educating system administrators on the importance of following security best practices and verifying compliance with these configurations is critical to prevent exploitation.