CVE-2026-23781

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23781 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Bmc Control-M\/Managed File Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires changing default authenticators prior to first use and proper management of credentials, preventing exploitation of the hardcoded debug credentials.

AC-2 Account Management good match

prevent

Mandates account management processes including disabling unnecessary accounts and changing default credentials, mitigating unauthorized access to the debug interface.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation including applying vendor patches, directly addressing the specific patch provided by BMC for this hardcoded credentials vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hardcoded default debug credentials directly enable use of default accounts for unauthorized remote access to the exposed API interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to…

the MFT API debug interface.

Deeper analysisAI

CVE-2026-23781 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting BMC Control-M/MFT versions 9.0.20 through 9.0.22. The issue stems from a set of default debug user credentials that are hardcoded in cleartext within the application package (CWE-798: Use of Hard-coded Credentials). If these credentials are not changed by administrators, they can be easily extracted, potentially granting unauthorized access to the MFT API debug interface.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows full unauthorized access to the debug interface, enabling high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) on affected systems.

BMC advisories provide mitigation through a specific patch for Control-M/MFT 9.0.22, detailed at https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/, along with general issue management resources at https://www.bmc.com/support/resources/issue-defect-management.html. Administrators should apply patches and change default credentials immediately.