Cyber Resilience

CVE-2026-23781

Critical

Published: 10 April 2026

Published
10 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 20.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23781 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Bmc Control-M\/Managed File Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-23781 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting BMC Control-M/MFT versions 9.0.20 through 9.0.22. The issue stems from a set of default debug user credentials that are hardcoded in cleartext within the application package (CWE-798: Use of Hard-coded Credentials). If these credentials are not changed by administrators, they can be easily extracted, potentially granting unauthorized access to the MFT API debug interface.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows full unauthorized access to the debug interface, enabling high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) on affected systems.

BMC advisories provide mitigation through a specific patch for Control-M/MFT 9.0.22, detailed at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/, along with general issue management resources at https://www.bmc.com/support/resources/issue-defect-management.html. Administrators should apply patches and change default credentials immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to…

more

the MFT API debug interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded default debug credentials directly enable use of default accounts for unauthorized remote access to the exposed API interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23782Same product: Bmc Control-M\/Managed File Transfer
CVE-2026-23780Same product: Bmc Control-M\/Managed File Transfer
CVE-2026-26218Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-24346Shared CWE-798

Affected Assets

bmc
control-m\/managed file transfer
9.0.20 — 9.0.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators prior to first use and proper management of credentials, preventing exploitation of the hardcoded debug credentials.

prevent

Mandates account management processes including disabling unnecessary accounts and changing default credentials, mitigating unauthorized access to the debug interface.

prevent

Requires timely flaw remediation including applying vendor patches, directly addressing the specific patch provided by BMC for this hardcoded credentials vulnerability.

References