CVE-2025-55118: CWE-122 Heap-based Buffer Overflow in BMC Control-M/Agent
CVE-2025-55118 is a high-severity heap-based buffer overflow vulnerability in BMC Control-M/Agent versions 9. 0. 18 through 9. 0. 22. It occurs when SSL/TLS communication is configured with specific non-default settings, allowing remote attackers to trigger memory corruption without authentication or user interaction. The vulnerability can lead to significant impacts on confidentiality, integrity, and availability of affected systems. Exploitation requires network access but no privileges, making it a critical concern for organizations using these versions with the specified configurations. No known exploits are currently in the wild, but the high CVSS score (8. 4) indicates a serious risk.
AI Analysis
Technical Summary
CVE-2025-55118 is a heap-based buffer overflow vulnerability identified in BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The flaw arises specifically when SSL/TLS communication is configured with non-default parameters: in version 9.0.20, when "use_openssl=n" is set, and in versions 9.0.21 and 9.0.22, when both "JAVA_AR=N" and "use_openssl=n" are configured. These settings alter the cryptographic communication stack, leading to improper memory handling that can be exploited remotely without authentication or user interaction. The vulnerability is categorized under multiple CWEs related to memory corruption and buffer overflows (CWE-122, CWE-125, CWE-787, among others), indicating complex memory safety issues. The CVSS 4.0 base score of 8.4 reflects a high severity, with network attack vector, high impact on confidentiality, integrity, and availability, and no required privileges or user interaction. Although no exploits are currently known in the wild, the potential for remote code execution or denial of service is significant. The vulnerability affects the core agent responsible for job scheduling and workload automation, which are critical functions in enterprise IT environments. The lack of available patches at the time of publication necessitates immediate mitigation through configuration changes and network controls. This vulnerability highlights risks introduced by non-default cryptographic configurations and the importance of rigorous testing and secure defaults in enterprise software.
Potential Impact
For European organizations, the impact of CVE-2025-55118 can be severe due to the widespread use of BMC Control-M/Agent in automating critical business processes and IT workloads. Exploitation could allow attackers to execute arbitrary code remotely, disrupt job scheduling, or cause denial of service, leading to operational downtime and potential data breaches. Confidentiality could be compromised if attackers gain access to sensitive job data or credentials managed by the agent. Integrity risks arise from the possibility of tampering with scheduled tasks, potentially causing erroneous or malicious operations. Availability impacts include service interruptions affecting business continuity. Given the vulnerability requires no authentication and no user interaction, it lowers the barrier for attackers, increasing risk exposure. European sectors such as finance, manufacturing, telecommunications, and government entities that rely heavily on automation tools are particularly vulnerable. The absence of known exploits provides a window for proactive defense, but the high severity demands urgent attention to prevent exploitation, especially in environments with non-default SSL/TLS configurations.
Mitigation Recommendations
1. Immediately review and revert SSL/TLS configuration settings in Control-M/Agent to default values, specifically setting "use_openssl" to "yes" and enabling "JAVA_AR" where applicable. 2. Monitor BMC's official channels for patches addressing CVE-2025-55118 and apply them promptly once released. 3. Implement network segmentation to restrict access to Control-M/Agent instances, limiting exposure to trusted management networks only. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect anomalous traffic patterns targeting Control-M/Agent communication ports. 5. Conduct thorough audits of Control-M/Agent configurations across the enterprise to identify and remediate any non-default or insecure settings. 6. Employ application-layer firewalls or proxies to enforce strict SSL/TLS policies and prevent malformed packets from reaching the agent. 7. Establish continuous monitoring and logging of Control-M/Agent activity to detect early signs of exploitation attempts. 8. Educate system administrators on the risks of non-default cryptographic configurations and enforce change management policies to prevent insecure settings. 9. Consider temporary disabling of affected Control-M/Agent instances in high-risk environments until mitigations or patches are applied. 10. Coordinate with BMC support for guidance and best practices tailored to your deployment.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Switzerland, Poland
CVE-2025-55118: CWE-122 Heap-based Buffer Overflow in BMC Control-M/Agent
Description
CVE-2025-55118 is a high-severity heap-based buffer overflow vulnerability in BMC Control-M/Agent versions 9. 0. 18 through 9. 0. 22. It occurs when SSL/TLS communication is configured with specific non-default settings, allowing remote attackers to trigger memory corruption without authentication or user interaction. The vulnerability can lead to significant impacts on confidentiality, integrity, and availability of affected systems. Exploitation requires network access but no privileges, making it a critical concern for organizations using these versions with the specified configurations. No known exploits are currently in the wild, but the high CVSS score (8. 4) indicates a serious risk.
AI-Powered Analysis
Technical Analysis
CVE-2025-55118 is a heap-based buffer overflow vulnerability identified in BMC's Control-M/Agent software versions 9.0.18 through 9.0.22. The flaw arises specifically when SSL/TLS communication is configured with non-default parameters: in version 9.0.20, when "use_openssl=n" is set, and in versions 9.0.21 and 9.0.22, when both "JAVA_AR=N" and "use_openssl=n" are configured. These settings alter the cryptographic communication stack, leading to improper memory handling that can be exploited remotely without authentication or user interaction. The vulnerability is categorized under multiple CWEs related to memory corruption and buffer overflows (CWE-122, CWE-125, CWE-787, among others), indicating complex memory safety issues. The CVSS 4.0 base score of 8.4 reflects a high severity, with network attack vector, high impact on confidentiality, integrity, and availability, and no required privileges or user interaction. Although no exploits are currently known in the wild, the potential for remote code execution or denial of service is significant. The vulnerability affects the core agent responsible for job scheduling and workload automation, which are critical functions in enterprise IT environments. The lack of available patches at the time of publication necessitates immediate mitigation through configuration changes and network controls. This vulnerability highlights risks introduced by non-default cryptographic configurations and the importance of rigorous testing and secure defaults in enterprise software.
Potential Impact
For European organizations, the impact of CVE-2025-55118 can be severe due to the widespread use of BMC Control-M/Agent in automating critical business processes and IT workloads. Exploitation could allow attackers to execute arbitrary code remotely, disrupt job scheduling, or cause denial of service, leading to operational downtime and potential data breaches. Confidentiality could be compromised if attackers gain access to sensitive job data or credentials managed by the agent. Integrity risks arise from the possibility of tampering with scheduled tasks, potentially causing erroneous or malicious operations. Availability impacts include service interruptions affecting business continuity. Given the vulnerability requires no authentication and no user interaction, it lowers the barrier for attackers, increasing risk exposure. European sectors such as finance, manufacturing, telecommunications, and government entities that rely heavily on automation tools are particularly vulnerable. The absence of known exploits provides a window for proactive defense, but the high severity demands urgent attention to prevent exploitation, especially in environments with non-default SSL/TLS configurations.
Mitigation Recommendations
1. Immediately review and revert SSL/TLS configuration settings in Control-M/Agent to default values, specifically setting "use_openssl" to "yes" and enabling "JAVA_AR" where applicable. 2. Monitor BMC's official channels for patches addressing CVE-2025-55118 and apply them promptly once released. 3. Implement network segmentation to restrict access to Control-M/Agent instances, limiting exposure to trusted management networks only. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect anomalous traffic patterns targeting Control-M/Agent communication ports. 5. Conduct thorough audits of Control-M/Agent configurations across the enterprise to identify and remediate any non-default or insecure settings. 6. Employ application-layer firewalls or proxies to enforce strict SSL/TLS policies and prevent malformed packets from reaching the agent. 7. Establish continuous monitoring and logging of Control-M/Agent activity to detect early signs of exploitation attempts. 8. Educate system administrators on the risks of non-default cryptographic configurations and enforce change management policies to prevent insecure settings. 9. Consider temporary disabling of affected Control-M/Agent instances in high-risk environments until mitigations or patches are applied. 10. Coordinate with BMC support for guidance and best practices tailored to your deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- airbus
- Date Reserved
- 2025-08-07T07:24:22.470Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c958c0ff7c553b3ddd1f3c
Added to database: 9/16/2025, 12:32:00 PM
Last enriched: 11/25/2025, 1:13:48 PM
Last updated: 12/15/2025, 1:01:53 PM
Views: 114
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-66388: CWE-201 Insertion of Sensitive Information Into Sent Data in Apache Software Foundation Apache Airflow
UnknownCVE-2025-11670: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Zohocorp ManageEngine ADManager Plus
MediumCVE-2025-37731: CWE-287 Improper Authentication in Elastic Elasticsearch
MediumCVE-2025-14714: CWE-288 Authentication Bypass Using an Alternate Path or Channel in The Document Foundation LibreOffice
LowCVE-2025-37732: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Elastic Kibana
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.