CVE-2026-23780

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

10/04/2026

Last modified:

10/04/2026

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API&#39;s debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.

Impact

References to Advisories, Solutions, and Tools

https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/
https://www.bmc.com/support/resources/issue-defect-management.html