CVE-2025-55111 is a medium-severity vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting BMC's Control-M/Agent software versions 9.0.18 through 9.0.20, as well as potentially earlier unsupported versions and newer versions upgraded from these affected releases. The vulnerability arises from certain files within the Control-M/Agent installation that have overly permissive default file permissions. These files contain sensitive cryptographic material, including SSL keys, keystore contents, and policy files. Because these files are accessible with insufficient access controls, an attacker who has local access to the system running the Control-M/Agent can read these files and extract sensitive credentials and keys. This exposure could allow the attacker to compromise the confidentiality of communications secured by these keys or potentially impersonate the agent or escalate privileges. The vulnerability does not require user interaction but does require at least low-level privileges (local access with some privileges) to exploit. The CVSS 4.0 vector indicates an attack vector of local (AV:L), low complexity (AC:L), partial attack complexity (AT:P), privileges required are low (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The issue is particularly relevant for organizations running out-of-support versions or those that have upgraded from affected versions without remediating file permissions. The vulnerability highlights the risk of improper file permission management in critical enterprise software components that handle sensitive cryptographic material.

For European organizations, the impact of CVE-2025-55111 can be significant, especially for those relying on BMC Control-M/Agent for workload automation and job scheduling in critical IT environments. Exposure of SSL keys and keystore passwords can lead to unauthorized decryption of encrypted communications, impersonation of the Control-M agent, and potential lateral movement within the network. This can compromise the confidentiality of sensitive business data and disrupt automated workflows. Since the vulnerability requires local access with some privileges, it increases the risk if an attacker gains foothold via other means (e.g., phishing, insider threat, or compromised credentials). Organizations in sectors with strict data protection regulations such as finance, healthcare, and government may face compliance risks and reputational damage if such a breach occurs. Additionally, the presence of this vulnerability in out-of-support versions complicates remediation efforts, potentially leaving critical systems exposed. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits given the detailed vulnerability information.

1. Conduct an immediate audit of all Control-M/Agent installations to identify versions 9.0.18 through 9.0.20 and any earlier unsupported versions or upgraded systems from these versions. 2. Manually verify and correct file permissions on all sensitive files containing SSL keys, keystore, and policy data to restrict access strictly to the Control-M/Agent service account and system administrators only. 3. Implement strict local access controls and limit user privileges on systems running Control-M/Agent to reduce the risk of local exploitation. 4. Monitor local system access logs for unusual activity indicative of unauthorized local access attempts. 5. Engage with BMC support or official channels to obtain any forthcoming patches or guidance and plan for timely upgrades to supported, patched versions. 6. Consider isolating Control-M/Agent hosts in segmented network zones to limit lateral movement if compromise occurs. 7. Employ file integrity monitoring solutions to detect unauthorized changes to sensitive files. 8. Review and enhance endpoint security controls to prevent privilege escalation and unauthorized local access.