CVE-2025-55112 identifies a cryptographic vulnerability in BMC Control-M/Agent versions 9.0.18 through 9.0.20, specifically when configured to use the non-default Blowfish encryption algorithm. The flaw arises from the use of a hardcoded cryptographic key embedded within the software, violating secure key management principles (CWE-321). This key is static and identical across affected versions, enabling an attacker who can intercept network traffic and obtain the key to decrypt communications between the Control-M/Agent and the Control-M Server. The vulnerability affects out-of-support versions, meaning no official patches or updates are provided by BMC. The CVSS 4.0 score of 7.6 reflects a high severity, with network attack vector, low attack complexity, no privileges required, but user interaction needed. The vulnerability impacts confidentiality and integrity of data in transit, potentially exposing sensitive job scheduling information or allowing manipulation of transmitted data. While no known exploits have been reported in the wild, the presence of a hardcoded key significantly lowers the barrier for attackers with network access. The vulnerability does not affect newer supported versions or those using default cryptographic algorithms. Organizations relying on legacy Control-M/Agent versions with Blowfish enabled must assess exposure and implement compensating controls.

The primary impact of CVE-2025-55112 is the compromise of confidentiality and integrity of network communications between Control-M/Agent and Control-M Server. Attackers able to intercept network traffic and possessing the hardcoded key can decrypt sensitive operational data, including job schedules, execution parameters, and potentially credentials or tokens transmitted within the session. This exposure can lead to information disclosure, enabling further targeted attacks or operational disruption. Integrity compromise could allow attackers to manipulate data in transit if combined with other attack techniques. Since Control-M is widely used for enterprise workload automation, disruption or data leakage can affect critical business processes, causing operational downtime, compliance violations, and reputational damage. The lack of patches for out-of-support versions increases risk for organizations that have not upgraded. The vulnerability's exploitation requires network access and user interaction, limiting remote exploitation scope but still posing significant risk in internal or poorly segmented networks.

1. Upgrade to a supported version of BMC Control-M/Agent that does not use the Blowfish algorithm or does not contain the hardcoded key vulnerability. 2. If upgrading is not immediately possible, disable the use of the Blowfish cryptographic algorithm in Control-M/Agent configurations and revert to default, secure encryption methods. 3. Implement network segmentation and strict access controls to limit exposure of Control-M/Agent communication channels, reducing the risk of network traffic interception. 4. Employ network-level encryption such as VPNs or TLS tunnels to protect Control-M traffic independently of the application-layer encryption. 5. Monitor network traffic for unusual patterns or attempts to capture Control-M communications. 6. Conduct regular audits of Control-M/Agent versions in use and enforce policies to retire unsupported software promptly. 7. Educate users about the risks of interacting with untrusted network environments to reduce user interaction exploitation vectors. 8. Engage with BMC support or security advisories for any forthcoming patches or workarounds.