This vulnerability affects BMC Control-M/MFT versions 9.0.20 through 9.0.22 and involves a SQL injection flaw in the MFT API's debug interface. Due to improper input validation and unsafe dynamic SQL query construction, an authenticated attacker can inject malicious SQL commands. Exploitation can result in arbitrary file read/write capabilities and potentially remote code execution, posing significant risk to affected systems. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. No patch or official remediation level has been disclosed as of the publication date.

An authenticated attacker exploiting this vulnerability can execute arbitrary SQL queries via the debug interface, leading to unauthorized file read/write operations and possibly remote code execution. This compromises system confidentiality, integrity, and availability. The high CVSS score indicates a severe impact if exploited. There are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the MFT API debug interface to trusted users only and monitor for suspicious activity. Avoid exposing the debug interface to untrusted networks. Follow vendor communications closely for updates on patches or mitigations.