CVE-2025-55109 is a critical authentication bypass vulnerability affecting BMC Control-M/Agent versions 9.0.18 through 9.0.20, and potentially earlier unsupported versions. The vulnerability arises due to improper certificate validation (CWE-295) when the product uses an empty or default kdb keystore or a default PKCS#12 keystore for client authentication. Specifically, the Control-M/Agent contains hardcoded fallback certificates that are trusted only if an empty kdb keystore is used; however, these certificates are expired. More critically, the default kdb and PKCS#12 keystores include trusted third-party certificates from external recognized certificate authorities and default self-signed demo certificates. This configuration allows a remote attacker who possesses a signed third-party or demo certificate to bypass the requirement for a certificate signed by the organization's certificate authority during authentication. The attacker can thus authenticate to the Control-M/Agent without proper authorization, potentially gaining unauthorized access to the system. The vulnerability is remotely exploitable without user interaction or prior authentication, but requires the attacker to have access to a valid third-party or demo certificate. The CVSS v4.0 score is 9.5 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of remote exploitation under certain conditions. No patches are currently linked, and no known exploits are reported in the wild as of the publication date (September 16, 2025).

For European organizations, the impact of this vulnerability is significant, especially for those relying on BMC Control-M/Agent for workload automation and job scheduling in critical IT environments. Successful exploitation could allow attackers to bypass authentication controls, leading to unauthorized execution of jobs, manipulation of workflows, data exfiltration, or disruption of business-critical processes. This could compromise the confidentiality and integrity of sensitive data and affect the availability of essential IT services. Given the widespread use of Control-M in sectors such as finance, manufacturing, telecommunications, and government agencies across Europe, exploitation could result in operational downtime, regulatory non-compliance (e.g., GDPR breaches), financial losses, and reputational damage. The lack of patches and the presence of expired or default certificates exacerbate the risk, especially in organizations that have not upgraded or hardened their Control-M/Agent deployments. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, increasing the scope of potential damage.

European organizations should take immediate and specific actions beyond generic advice: 1) Identify all instances of BMC Control-M/Agent in their environment, focusing on versions 9.0.18 to 9.0.20 and earlier unsupported versions. 2) Replace default or empty kdb and PKCS#12 keystores with properly configured keystores containing only organization-approved certificates signed by trusted internal certificate authorities. 3) Remove or disable any hardcoded or fallback certificates, especially expired ones, to prevent fallback trust scenarios. 4) Implement strict certificate validation policies and verify that client authentication requires certificates issued by the organization's CA. 5) Monitor authentication logs for unusual certificate usage or authentication attempts using third-party or demo certificates. 6) If possible, upgrade to a supported version of Control-M/Agent where this vulnerability is addressed or mitigated. 7) Employ network segmentation and access controls to limit exposure of Control-M/Agent interfaces to trusted networks and users only. 8) Prepare incident response plans specific to Control-M/Agent compromise scenarios. 9) Engage with BMC support or security advisories for any forthcoming patches or mitigations. These steps will help reduce the attack surface and prevent exploitation of the improper certificate validation vulnerability.