CVE-2025-55113 is a critical vulnerability affecting BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The flaw stems from improper neutralization of null bytes (CWE-158) in the Access Control List (ACL) enforcement mechanism when the C router is used. This router is the default in out-of-support versions 9.0.18 to 9.0.20 and can be enabled via the JAVA_AR setting in newer versions. The vulnerability arises because the ACL verification process halts upon encountering the first null byte in the email address field of the client certificate. An attacker can exploit this by crafting a certificate with a null byte embedded in the email address, effectively truncating the string and bypassing ACL checks. This allows unauthorized access to the Control-M/Agent, potentially enabling attackers to execute unauthorized commands or access sensitive scheduling and automation functions. The vulnerability has a CVSS 4.0 score of 9.5, indicating critical severity with network attack vector, high complexity, no privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the high severity and ease of exploitation without authentication make this a significant threat. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, the impact of this vulnerability can be severe, especially for enterprises relying on BMC Control-M/Agent for workload automation and job scheduling in critical IT environments. Successful exploitation could lead to unauthorized access to job scheduling controls, allowing attackers to disrupt business operations, manipulate automated workflows, or exfiltrate sensitive operational data. This could affect sectors such as finance, manufacturing, telecommunications, and government agencies where Control-M is commonly deployed. The breach of confidentiality and integrity of automated processes could result in operational downtime, financial losses, regulatory non-compliance (e.g., GDPR implications if personal data is involved), and reputational damage. Given the network-based attack vector and no requirement for authentication, attackers could remotely exploit vulnerable agents exposed to the internet or internal networks, increasing the risk of lateral movement within corporate networks.

European organizations should immediately audit their Control-M/Agent deployments to identify affected versions (9.0.18 through 9.0.22). Since no official patches are currently available, organizations should consider the following mitigations: 1) Disable or avoid using the C router mode or JAVA_AR setting that enables it, switching to safer routing configurations if possible. 2) Restrict network exposure of Control-M/Agent instances by implementing strict firewall rules and network segmentation to limit access only to trusted hosts. 3) Enforce strict certificate validation policies and monitor for anomalous certificates that may contain null bytes or other suspicious characters. 4) Implement enhanced logging and monitoring around Control-M/Agent access to detect unusual authentication attempts or ACL bypass indicators. 5) Engage with BMC support for any available patches or workarounds and plan for timely updates once patches are released. 6) Conduct internal penetration testing focusing on ACL bypass attempts to validate the effectiveness of mitigations.