Critical Flaw in BMC Control-M (CVE-2026-10539): Server Takeover With No Password β Update to 9.0.21.300
BMC Control-M, which runs companies' core batch jobs, has a critical flaw: a passwordless attacker can take over the server (CVE-2026-10539, CVSS 9.0). Update to 9.0.21.300.
Table of contents
BMC Control-M, which runs companies' core batch jobs, has a critical flaw: a passwordless attacker can take over the server (CVE-2026-10539, CVSS 9.0). Update to 9.0.21.300.
A serious vulnerability has been found in "BMC Control-M," operations software that many companies use to run their core automated processing (batch jobs) β nightly payroll, settlements, data aggregation and the like. Under certain conditions, an attacker with no password can execute unauthorized commands on the server and take it over. The identifier is CVE-2026-10539, with a severity of CVSS 9.0 out of 10 (9.5 under the newer CVSS 4.0).
The affected part is "Control-M/Server," the core component that manages schedules. Per the U.S. NVD description, a communication command the server accepts does not sufficiently filter user-supplied input, so when conditions align, a command can run without going through authentication. Vendor BMC has published a fixed version (9.0.21.300) and describes it in its official support information. Because this software ties together core processing, corporate IT teams should check early.
| Item | Details |
|---|---|
| CVE | CVE-2026-10539 |
| Target | BMC Control-M/Server (core batch operations software) |
| Type | Authentication bypass + command execution (insufficient input filtering) |
| What happens | Command execution on the server with no password β server takeover |
| Severity (CVSS) | 9.0 (v3.1) / 9.5 (v4.0) |
| Affected / Fixed | 9.0.20.xβ9.0.21.200 / fixed in 9.0.21.300 |
| Exploitation | No exploitation reported (at publication) |
*Severity (CVSS) rates danger out of 10. This flaw is not listed in the U.S. CISA catalog of exploited vulnerabilities (KEV), and no exploit code has been observed. Note that the CVSS scoring requires "certain conditions," which we cover accurately below.
Who is at risk, and what is the damage
This hole is hunted by attackers who have already gotten into the internal network and are trying to widen their intrusion toward the company's core. Control-M/Server is not the kind of product you expose directly to the internet; it sits deep in the corporate network, close to the "heart" that ties core processing together. So rather than being hit in one shot from outside, it is more likely to be the next stepping stone for an attacker who broke in through another door. A malicious insider is just as dangerous.
Once an attacker can reach the server's traffic, they can execute unauthorized commands on the server just by sending a crafted communication command, without entering a password. Because Control-M holds the authority to run business-system batch jobs, seizing it spreads the impact quickly.
The essence of the damage is gaining control of the company's "nervous system." If core batch jobs β nightly payroll, account processing, inventory updates, data integration β are stopped or quietly altered, operations across the business are thrown into disarray. And since Control-M connects to many execution servers, it can be used as a launch point for lateral movement to other systems, theft of stored credentials, or a foothold for ransomware (attacks that hold data hostage for a ransom). Core operations software is a classic case where a compromise spreads damage across the board.
What Control-M is, and whether you are affected
Control-M is BMC's software for automatic job execution and schedule management (workload automation). It centrally manages the sequencing of large volumes of routine processing β "run this job at midnight; on success go to the next, on failure retry." Because it can link everything from old mainframe batches to new cloud processing, it is widely used to run core operations at large companies in finance, manufacturing, telecom and the public sector. BMC's Japanese product page describes these uses too.
Control-M is made of three main parts. Use the table to check which one this issue concerns.
| Part | Role | Affected here |
|---|---|---|
| Control-M/Server | The core that manages schedules | Yes (9.0.20.xβ9.0.21.200) |
| Control-M/Agent | Actually runs jobs on each server | Not affected by this CVE |
| Control-M/EM | The management console (GUI) for the whole | Not affected here |
The target is Control-M/Server versions 9.0.20.x to 9.0.21.200, and earlier unsupported versions may also be affected. You can tell whether your environment applies by checking the version of your running Control-M/Server. Rather than agonizing over it, the sure move is to update to the fixed version first.
Inside the vulnerability
Control-M/Server accepts several communication commands to interact with external parts. The flaw is that when processing such a command, it did not sufficiently check (filter and sanitize) the supplied input. It is classified as "authentication bypass by primary weakness" (CWE-305): an operation that should require authentication can, depending on conditions, go through without it. The NVD description adds "under certain conditions," meaning it does not always succeed in every configuration.
This shows in the severity scoring too. The CVSS 3.1 base score is a high 9.0, but the attack complexity is rated "high," and the 4.0 assessment likewise treats "certain attack requirements" as present. In other words, while "no password is needed," success involves the environment and conditions. Even so, it remains a flaw that can lead to command execution on a core server without authentication, and its potential impact calls for a high-priority response. No attack steps or proof-of-concept code have been published.
What to do now
The top priority is updating to the fixed version 9.0.21.300. BMC resolves the issue in this version; if you run 9.0.21.200 or earlier, plan the rollout. Core batch jobs can be hard to pause, but given the potential impact, the safe path is to verify in a test environment and apply the fix early.
Interim measures until you update: First, restrict who can reach Control-M/Server's communication port, allowing access only from the devices and network segments operations require. Second, protect inter-component communication with mutual authentication (mutual TLS) and revisit the security settings BMC recommends. Third, monitor logs for suspicious traffic or job tampering. Because Control-M sits deep inside the corporate network, you need to watch internal access, not just the perimeter. With similar enterprise products, such as IBM Db2 and Adobe ColdFusion, reviewing exposure and updating quickly has likewise been the difference between safety and damage.
Summary
CVE-2026-10539 is a flaw in "Control-M/Server," the core component of BMC Control-M that ties together corporate batch processing. Its weak input checking on a communication command means that, under certain conditions, an attacker with no password can run unauthorized commands on the server and take it over. The severity is CVSS 9.0 (9.5 under 4.0); affected versions are 9.0.20.xβ9.0.21.200, fixed in 9.0.21.300.
No real-world exploitation has been reported so far, and the attack involves conditions. Still, Control-M is the "nervous system" that keeps a company running, and a compromise there reaches across operations. Planning the update, and revisiting reachability restrictions and inter-component protection, is the sure way to prepare.
FAQ
I use Control-M β am I necessarily at risk?
The target is Control-M/Server versions 9.0.20.xβ9.0.21.200. If that applies, you are affected. That said, this flaw is described as succeeding "under certain conditions," so it cannot always be exploited in every configuration. Even so, since it can lead to command execution on the server without authentication, we strongly recommend updating to the fixed 9.0.21.300.
Which version should I upgrade to?
Update to the fixed 9.0.21.300. Affected versions are 9.0.20.xβ9.0.21.200 and possibly earlier unsupported versions. See BMC's official support information for details.
Are Control-M/Agent and Enterprise Manager affected too?
This vulnerability (CVE-2026-10539) targets Control-M/Server. Control-M/Agent and Enterprise Manager (EM) are not affected by this issue. However, since Control-M has seen a run of security fixes, keep every component up to date per BMC's official support information.
Is it already being exploited?
As of publication, there are no reports of real-world attacks, no listing in the U.S. CISA catalog of exploited vulnerabilities (KEV), and no published proof-of-concept code. Still, given the potential impact, updating before exploitation spreads is the safe move.
Update history
- βΈJuly 1, 2026: First published (created following the CVE's publication and BMC's official support information).
References

Makoto Horikawa
Backend Engineer / AWS / Django