CVE-2026-10539
CriticalCVSS 9.0Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A vulnerability in Control-M/Server communication allows an unauthenticated attacker to execute unauthorized commands due to insufficient input filtering. The issue affects versions 9.0.20.x through 9.0.21.200 and potentially earlier unsupported versions.
Risk Assessment
The risk involves potential server compromise by an unauthenticated attacker, leading to loss of confidentiality, integrity, and availability of the system and data.
Recommendation
Immediately upgrade Control-M/Server to version 9.0.21.200 or later; if no patch is available, apply temporary network restrictions to limit server access.
Original NVD description (English source)
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

