CVE-2025-55113 is a critical vulnerability affecting BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The flaw arises from improper neutralization of null bytes (CWE-158) in the Access Control List (ACL) enforcement mechanism when the C router is in use. Specifically, the ACL verification process stops processing the email address field in the client certificate upon encountering the first null byte (NUL character). This behavior allows an attacker to craft a malicious client certificate with a null byte embedded in the email address, effectively truncating the ACL check and bypassing configured access restrictions. The vulnerability is present primarily in the default C router used in out-of-support versions 9.0.18 to 9.0.20 and can also be triggered in newer versions if the JAVA_AR setting is configured to use the C router. The CVSS 4.0 score of 9.5 (critical) reflects the high impact and network attack vector with no user interaction required. Exploitation does not require privileges or authentication, and the vulnerability affects confidentiality, integrity, and availability by potentially allowing unauthorized access and control over the Control-M/Agent. Although no known exploits are currently observed in the wild, the vulnerability's nature and severity make it a significant risk for organizations using affected versions of Control-M/Agent, especially those relying on client certificate-based ACL enforcement for security. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, the impact of CVE-2025-55113 is substantial. Control-M/Agent is widely used in enterprise environments for workload automation and job scheduling, often managing critical business processes and data flows. Unauthorized access via ACL bypass could lead to execution of unauthorized jobs, data leakage, or disruption of automated workflows, affecting business continuity and compliance with data protection regulations such as GDPR. The vulnerability compromises confidentiality by allowing attackers to impersonate authorized clients, integrity by enabling unauthorized job execution or modification, and availability by potentially disrupting scheduled operations. Given the critical nature of Control-M/Agent in sectors like finance, manufacturing, telecommunications, and public services across Europe, exploitation could have cascading effects on operational stability and regulatory compliance. Additionally, the vulnerability's exploitation could facilitate lateral movement within networks, increasing the risk of broader compromise.

Immediate mitigation steps include: 1) Identifying and inventorying all instances of Control-M/Agent within the environment, focusing on versions 9.0.18 through 9.0.22. 2) Disabling the use of the C router where possible, especially the JAVA_AR setting that enables it in newer versions, to prevent the vulnerable ACL verification path from being used. 3) Implementing strict certificate validation policies and monitoring for anomalous client certificate usage that may indicate attempts to exploit null byte injection. 4) Applying network segmentation and access controls to limit exposure of Control-M/Agent interfaces to trusted hosts only. 5) Monitoring logs and network traffic for unusual access patterns or failed ACL checks that could signal exploitation attempts. 6) Engaging with BMC support for patches or updates as they become available and planning timely upgrades to versions that do not use the vulnerable C router or have fixed the issue. 7) Employing additional compensating controls such as multi-factor authentication and enhanced monitoring around Control-M/Agent operations to detect and respond to suspicious activities promptly.