CVE-2025-55112 is a high-severity vulnerability affecting out-of-support versions 9.0.18 to 9.0.20 of BMC's Control-M/Agent software, specifically when configured to use the non-default Blowfish cryptography algorithm. The vulnerability arises from the use of a hardcoded cryptographic key embedded within the software. This key is static and identical across affected installations, violating secure cryptographic practices (CWE-321). An attacker who can intercept network traffic between the Control-M/Agent and the Control-M Server and who knows or can obtain this hardcoded key can decrypt the communication. This compromises the confidentiality and integrity of data exchanged, potentially exposing sensitive job scheduling information, credentials, or other operational data. The vulnerability does not require authentication but does require user interaction (likely triggering communication), and the attack vector is network-based with low complexity. Although no known exploits are currently reported in the wild, the presence of a hardcoded key significantly lowers the barrier for attackers to decrypt intercepted traffic once the key is discovered or leaked. The affected versions are out of support, meaning no official patches are available, increasing the risk for organizations still running these versions. The CVSS 4.0 base score is 7.6 (high), reflecting the significant confidentiality and integrity impacts and ease of network exploitation without privileges.

For European organizations using affected versions of Control-M/Agent, this vulnerability poses a serious risk to the confidentiality and integrity of job scheduling and automation data. Control-M is widely used in enterprise IT environments for workload automation, often handling critical business processes. Exposure of decrypted network traffic could allow attackers to gain insights into operational workflows, potentially enabling further attacks such as lateral movement, data exfiltration, or disruption of business-critical processes. Since the vulnerability affects out-of-support versions, organizations may lack vendor support or patches, increasing exposure duration. This is particularly impactful for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe. Additionally, the ability to decrypt traffic could facilitate compliance violations under GDPR if personal or sensitive data is exposed. The vulnerability could also undermine trust in IT operations and lead to operational downtime if exploited.

1. Immediate upgrade: Organizations should upgrade to the latest supported versions of Control-M/Agent that do not use the vulnerable Blowfish algorithm or that have removed the hardcoded key. 2. Configuration review: Disable the use of the Blowfish cryptography algorithm in Control-M/Agent configurations and switch to more secure, modern cryptographic algorithms supported by the product. 3. Network segmentation: Restrict network access between Control-M/Agent and Control-M Server to trusted networks only, minimizing the risk of traffic interception. 4. Use of VPN or encrypted tunnels: If upgrading is not immediately feasible, implement additional network-layer encryption such as VPNs or TLS tunnels to protect traffic confidentiality. 5. Monitoring and detection: Deploy network monitoring tools to detect unusual traffic patterns or attempts to intercept Control-M communications. 6. Incident response planning: Prepare to respond to potential compromise scenarios involving Control-M communications, including forensic analysis and containment. 7. Vendor engagement: Engage with BMC support or professional services for guidance on secure configurations and upgrade paths, even if the affected versions are out of support.