Cyber Resilience

CVE-2025-55108

Critical

Published: 05 November 2025

Published
05 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 64.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55108 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Site (inferred from references). Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).

Deeper analysis

CVE-2025-55108 affects the Control-M/Agent component from BMC Software, enabling unauthenticated remote code execution (RCE), arbitrary file read and write operations, and similar unauthorized actions. This vulnerability arises specifically when mutual SSL/TLS authentication is not enabled, which is the default configuration. It is classified under CWE-306 (Missing Authentication for Critical Function) with a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and comprehensive impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation allows attackers to execute arbitrary code on the affected Control-M/Agent host, read or write arbitrary files, and perform other unauthorized actions, potentially leading to full system compromise in environments where mutual TLS is disabled.

BMC advisories emphasize that the vulnerability only manifests when documented security best practices are ignored, as they have consistently recommended configuring SSL/TLS mutual authentication between the Control-M Server and Agent. Control-M/Agent deployments in Control-M SaaS are explicitly not impacted. Relevant mitigation details are available in BMC knowledge base articles at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962, https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099, and https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271.

EU & UK References

Vulnerability details

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs…

more

when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution on network-accessible Control-M/Agent service directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2025-41715Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306
CVE-2025-40771Shared CWE-306

Affected Assets

Site
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly identifies and prohibits remote critical functions like RCE and arbitrary file operations without identification or authentication on the Control-M/Agent, directly countering CWE-306 in default configuration.

prevent

Requires enforcing secure configuration settings such as enabling mutual SSL/TLS authentication on Control-M/Agent, mitigating the vendor-noted default vulnerable state.

prevent

Manages and authorizes remote access to Control-M/Agent with cryptographic protections like mutual TLS, preventing unauthenticated network-based exploitation.

References