CVE-2026-23781CRITICAL 9.8EPSS p20.0%

CVE-2026-23781CVE-2026-23781

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 20.0% · 2026-06-18T12:00:27Z
Published2026-04-10
Last modified2026-04-27

Underlying weaknesses· 1

CWE-798

References

  1. https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/
  2. https://www.bmc.com/support/resources/issue-defect-management.html

1

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Credentialscwe-7980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23780
CVE
CVE-2026-25202
CVE
CVE-2026-27785
CVE
CVE-2026-7365
CVE
CVE-2026-8605
CVE
CVE-2025-27690
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.