CVE-2025-55115 is a relative path traversal vulnerability classified under CWE-23 affecting BMC's Control-M/Agent software, specifically versions 9.0.18 through 9.0.20 and potentially earlier unsupported releases. Control-M/Agent is a workload automation tool widely used in enterprise environments to manage batch jobs and workflows. The vulnerability arises because the software improperly validates file path inputs, allowing an attacker with local access to manipulate file paths to access or overwrite arbitrary files on the system. This can lead to local privilege escalation, enabling the attacker to gain higher system privileges than initially granted. The flaw requires the attacker to have some level of local access (local vector) and privileges but does not require user interaction or network access. The vulnerability impacts confidentiality, integrity, and availability at a high level, as it can allow unauthorized file access and modification, potentially compromising the entire system. The issue was addressed in version 9.0.20.100 and later. Despite no known exploits in the wild, the critical CVSS score of 9.3 reflects the serious risk posed by this vulnerability in environments where Control-M/Agent is deployed.

The vulnerability enables local attackers to escalate privileges by exploiting path traversal to access or modify sensitive files, potentially leading to full system compromise. For organizations relying on Control-M/Agent for critical batch processing and workflow automation, this could disrupt operations, expose sensitive data, and allow attackers to implant persistent malicious code. The impact extends to confidentiality, integrity, and availability, as attackers could read confidential files, alter system configurations, or disrupt job scheduling. Given the widespread use of Control-M/Agent in financial, healthcare, manufacturing, and government sectors, exploitation could have severe operational and reputational consequences. The requirement for local access limits remote exploitation but insider threats or attackers who gain initial foothold could leverage this vulnerability to escalate privileges and move laterally within networks.

Organizations should immediately identify and inventory all instances of BMC Control-M/Agent, focusing on versions 9.0.18 through 9.0.20 and earlier unsupported releases. The primary mitigation is to upgrade all affected agents to version 9.0.20.100 or later, where the vulnerability is patched. If immediate upgrade is not feasible, restrict local access to systems running the Control-M/Agent to trusted personnel only and implement strict access controls and monitoring for suspicious activity. Employ host-based intrusion detection systems (HIDS) to detect unusual file access patterns indicative of path traversal exploitation. Regularly audit file permissions and system logs for anomalies. Additionally, consider isolating Control-M/Agent hosts in segmented network zones to limit lateral movement in case of compromise. Maintain up-to-date backups to enable recovery from potential attacks. Finally, educate system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely patching.