CVE-2025-55108 is a critical security vulnerability identified in BMC Control-M/Agent versions 9.0.18 through 9.0.22. The root cause is a missing authentication mechanism for critical functions within the agent, classified under CWE-306. By default, Control-M/Agent does not enforce mutual SSL/TLS authentication between the Control-M Server and Agent, which allows remote attackers to connect without credentials. This lack of authentication enables attackers to execute arbitrary code remotely, read and write arbitrary files, and perform other unauthorized actions on the affected system. The vulnerability is exploitable over the network without requiring user interaction or prior privileges, significantly increasing its risk profile. The vendor emphasizes that this vulnerability only occurs if security best practices are not followed, specifically the enabling of mutual SSL/TLS authentication, which is strongly recommended. Control-M SaaS deployments are not impacted by this issue. No public exploits have been reported yet, but the high CVSS 4.0 score of 9.5 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. The vulnerability was reserved in August 2025 and published in November 2025, indicating recent discovery and disclosure.

The impact of CVE-2025-55108 is severe for organizations using vulnerable versions of BMC Control-M/Agent without mutual SSL/TLS authentication enabled. Successful exploitation allows remote attackers to execute arbitrary code, potentially leading to full system compromise. Attackers can also read and modify arbitrary files, which may result in data breaches, manipulation of job scheduling data, disruption of automated workflows, and potential lateral movement within the network. The availability of critical business process automation services managed by Control-M could be disrupted, causing operational downtime and financial loss. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of attacks. Organizations that do not follow the vendor's recommended security best practices are at the highest risk. Although no known exploits are currently in the wild, the vulnerability's critical severity and ease of exploitation make it a prime target for threat actors once exploit code becomes available.

Organizations should immediately verify their Control-M/Agent configurations to ensure mutual SSL/TLS authentication is enabled between Control-M Server and Agent, as this is the primary mitigation recommended by the vendor. This involves configuring both server and agent components to require and validate client certificates, effectively enforcing strong mutual authentication. Additionally, organizations should upgrade to the latest patched versions once available, or apply any interim security updates or configuration guidance provided by BMC. Network segmentation and firewall rules should restrict access to Control-M/Agent ports to trusted hosts only, minimizing exposure to untrusted networks. Continuous monitoring and logging of Control-M communications can help detect anomalous or unauthorized access attempts. Organizations should also review and harden related infrastructure and credentials to reduce the risk of lateral movement if compromise occurs. Finally, maintaining an incident response plan specific to Control-M environments will help rapidly contain and remediate any exploitation attempts.