CVE Catalog

CVE-2026-10539

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

A vulnerability in Control-M/Server communication allows an unauthenticated attacker to execute unauthorized commands due to insufficient input filtering. The issue affects versions 9.0.20.x through 9.0.21.200 and potentially earlier unsupported versions.

Risk Assessment

The risk involves potential server compromise by an unauthenticated attacker, leading to loss of confidentiality, integrity, and availability of the system and data.

Recommendation

Immediately upgrade Control-M/Server to version 9.0.21.200 or later; if no patch is available, apply temporary network restrictions to limit server access.

Original NVD description (English source)

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.  This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS