CVE-2025-55113 is a critical security vulnerability identified in BMC's Control-M/Agent software, specifically affecting versions 9.0.18 through 9.0.22.000. The flaw is categorized under CWE-158, which pertains to improper neutralization of null bytes or NUL characters. The vulnerability manifests when the Access Control List (ACL) enforcement mechanism relies on the C router, which is the default routing method in out-of-support versions 9.0.18 to 9.0.20 and can be configured in newer versions via the JAVA_AR setting. The core issue is that the ACL verification process prematurely terminates at the first NULL byte encountered in the email address field of the client certificate. This behavior allows an attacker to craft a malicious certificate containing a NULL byte that truncates the email address verification, effectively bypassing ACL restrictions. As a result, unauthorized users may gain access to systems or resources protected by ACLs without proper credentials or permissions. The vulnerability has been assigned a CVSS 4.0 base score of 9.5, reflecting its critical severity, with network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the vulnerability's characteristics make it a prime candidate for exploitation, especially in environments where Control-M/Agent is used for workload automation and job scheduling. The vulnerability affects both unsupported and some supported versions, emphasizing the need for immediate attention from organizations using these versions. No official patches have been linked yet, indicating that mitigation may currently rely on configuration changes or disabling the vulnerable routing method.

The vulnerability allows attackers to bypass Access Control Lists by exploiting improper handling of NULL bytes in client certificate email addresses. This can lead to unauthorized access to critical job scheduling and automation functions managed by Control-M/Agent, potentially allowing attackers to execute arbitrary jobs, disrupt workflows, or exfiltrate sensitive data. The compromise of Control-M/Agent can have cascading effects on enterprise IT operations, affecting business continuity, data integrity, and confidentiality. Given the high CVSS score and the nature of the flaw, the impact is critical, with potential for widespread disruption in organizations relying on affected versions. The lack of required privileges and user interaction lowers the barrier for exploitation, increasing risk. Enterprises in sectors with high reliance on automated workflows, such as finance, healthcare, manufacturing, and government, may face significant operational and reputational damage if exploited.

1. Immediately identify and inventory all instances of BMC Control-M/Agent running affected versions (9.0.18 to 9.0.22.000). 2. Where possible, upgrade to the latest supported version of Control-M/Agent that does not use the vulnerable C router or has addressed this vulnerability. 3. If upgrading is not immediately feasible, disable the C router by configuring the JAVA_AR setting to use a non-vulnerable routing method. 4. Implement strict certificate validation policies and monitor for anomalous client certificates containing NULL bytes or other suspicious characters. 5. Employ network segmentation and firewall rules to restrict access to Control-M/Agent interfaces to trusted hosts only. 6. Monitor logs for failed or suspicious ACL checks and unusual job execution patterns. 7. Engage with BMC support for official patches or workarounds as they become available. 8. Conduct regular security assessments and penetration tests focusing on authentication and ACL enforcement mechanisms. 9. Educate administrators about the risks of using outdated or unsupported software versions and the importance of timely patching.