CVE-2026-10539
Published: 01 July 2026
Summary
CVE-2026-10539 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability. Its CVSS base score is 9.5 (Critical).
Operationally, ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40925
Vulnerability details
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects…
more
Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Ubuntu 22.04 (1 rule)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-305
Ubuntu 24.04 (1 rule)
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-305
Windows 10 (2 rules)
- V-220812 Credential Guard must be running on Windows 10 domain-joined systems. via CWE-305
- V-220865 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-305