CVE-2026-10538

Summary

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

Affected Software

VendorProductVersion RangeStatus
BMCControl-M/Enterprise Manager9.0.21unaffected
BMCControl-M/Enterprise Manager9.0.20 < 9.0.21affected
BMCControl-M/Server9.0.21unaffected
BMCControl-M/Server9.0.20 < 9.0.21affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of untrusted data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References