CVE-2025-55108
Published: 05 November 2025
Summary
CVE-2025-55108 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Site (inferred from references). Its CVSS base score is 9.5 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).
Deeper analysis
CVE-2025-55108 affects the Control-M/Agent component from BMC Software, enabling unauthenticated remote code execution (RCE), arbitrary file read and write operations, and similar unauthorized actions. This vulnerability arises specifically when mutual SSL/TLS authentication is not enabled, which is the default configuration. It is classified under CWE-306 (Missing Authentication for Critical Function) with a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and comprehensive impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation allows attackers to execute arbitrary code on the affected Control-M/Agent host, read or write arbitrary files, and perform other unauthorized actions, potentially leading to full system compromise in environments where mutual TLS is disabled.
BMC advisories emphasize that the vulnerability only manifests when documented security best practices are ignored, as they have consistently recommended configuring SSL/TLS mutual authentication between the Control-M Server and Agent. Control-M/Agent deployments in Control-M SaaS are explicitly not impacted. Relevant mitigation details are available in BMC knowledge base articles at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962, https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099, and https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37780
Vulnerability details
The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs…
more
when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution on network-accessible Control-M/Agent service directly enables T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Explicitly identifies and prohibits remote critical functions like RCE and arbitrary file operations without identification or authentication on the Control-M/Agent, directly countering CWE-306 in default configuration.
Requires enforcing secure configuration settings such as enabling mutual SSL/TLS authentication on Control-M/Agent, mitigating the vendor-noted default vulnerable state.
Manages and authorizes remote access to Control-M/Agent with cryptographic protections like mutual TLS, preventing unauthenticated network-based exploitation.