Cyber Resilience

CVE-2026-10539

Critical

Published: 01 July 2026

Published
01 July 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-10539 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability. Its CVSS base score is 9.5 (Critical).

Operationally, ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects…

more

Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Ubuntu 22.04 (1 rule)
  • V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-305
Ubuntu 24.04 (1 rule)
  • V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-305
Windows 10 (2 rules)
  • V-220812 Credential Guard must be running on Windows 10 domain-joined systems. via CWE-305
  • V-220865 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-305

References