CVE-2025-55114

Summary

The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.

Affected Software

VendorProductVersion RangeStatus
BMCControl-M/Agent9.0.21unaffected
BMCControl-M/Agent9.0.20affected
BMCControl-M/Agent9.0.19affected
BMCControl-M/Agent9.0.18affected

Weaknesses

  • CWE-696: CWE-696 Incorrect Behavior Order

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References