CVE-2025-55114
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| BMC | Control-M/Agent | 9.0.21 | unaffected |
| BMC | Control-M/Agent | 9.0.20 | affected |
| BMC | Control-M/Agent | 9.0.19 | affected |
| BMC | Control-M/Agent | 9.0.18 | affected |
Weaknesses
- CWE-696: CWE-696 Incorrect Behavior Order
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099
- https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441968
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.