CVE-2025-55112 is a high-severity vulnerability affecting out-of-support versions 9.0.18 through 9.0.20 of BMC's Control-M/Agent software, specifically when configured to use the non-default Blowfish cryptography algorithm. The vulnerability arises from the use of a hard-coded cryptographic key (CWE-321) embedded within the software. This key is static and known, which fundamentally undermines the confidentiality of encrypted communications between the Control-M/Agent and its corresponding Control-M Server. An attacker who can intercept network traffic and obtain this hard-coded key can decrypt sensitive data transmitted over the network. The vulnerability does not require authentication but does require some user interaction, likely in the form of network access or triggering communication sessions. The CVSS 4.0 base score is 7.6, reflecting a high severity due to the network attack vector, low attack complexity, and high impact on confidentiality and integrity. The flaw is particularly critical because Control-M/Agent is widely used for workload automation and job scheduling in enterprise environments, where sensitive operational data and credentials may be transmitted. The lack of available patches and the software being out of support further exacerbate the risk, leaving organizations reliant on configuration changes or mitigations. No known exploits are currently reported in the wild, but the vulnerability's characteristics make it a likely target for attackers aiming to intercept and decrypt critical operational data.

For European organizations, the impact of this vulnerability can be significant. Control-M/Agent is commonly deployed in large enterprises, financial institutions, utilities, and government agencies across Europe for automating critical batch jobs and workflows. The ability to decrypt network traffic could expose sensitive operational data, credentials, or personally identifiable information (PII), leading to data breaches, operational disruption, or compliance violations under GDPR. Attackers could leverage decrypted information to escalate privileges, move laterally within networks, or disrupt automated processes, potentially causing downtime or financial loss. The vulnerability's exploitation could also undermine trust in automated systems and complicate incident response efforts. Given the out-of-support status of affected versions, organizations using legacy Control-M/Agent deployments may face challenges in remediation, increasing their exposure. The high confidentiality and integrity impact combined with network-level exploitation potential makes this a critical concern for European enterprises relying on these versions.

Since no official patches are available for the affected out-of-support versions, European organizations should prioritize the following mitigations: 1) Upgrade Control-M/Agent to a supported version that does not use the vulnerable Blowfish algorithm or that has addressed this vulnerability. 2) If upgrading is not immediately feasible, reconfigure the Control-M/Agent to avoid using the non-default Blowfish cryptography algorithm and switch to a more secure, supported encryption method. 3) Implement network segmentation and strict access controls to limit exposure of Control-M/Agent communications to trusted network segments only, reducing the risk of interception. 4) Employ network-level encryption such as VPNs or TLS tunnels to protect Control-M traffic independently of the application-layer encryption. 5) Monitor network traffic for unusual patterns or unauthorized access attempts targeting Control-M/Agent communications. 6) Conduct thorough audits of existing Control-M/Agent deployments to identify vulnerable versions and configurations. 7) Educate operational teams about the risks and ensure incident response plans include scenarios involving compromised Control-M communications. These targeted mitigations go beyond generic advice by focusing on configuration changes, network controls, and operational awareness tailored to this specific vulnerability.