CVE 9.8 CRITICAL

CVE-2026-23781_CVE-2026-23781

April 14, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

AI Analysis

Hardcoded default debug user credentials in cleartext allow unauthorized access to the MFT API debug interface.

Basic Information

ID CVE-2026-23781

Source mitre

Published Apr 10, 2026 at 00:00

Modified Apr 14, 2026 at 14:29

Affected Product

Vendor BMC

Product Control-M/MFT

Version 9.0.20, 9.0.21, 9.0.22

Affected Versions n/a n/a n/a

CWE Classification

CWE-798

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor BMC

Product Control-M/MFT

Version 9.0.20, 9.0.21, 9.0.22

References

{
    "lastseen": "",
    "description": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.",
    "published": "2026-04-10T00:00:00.000Z",
    "modified": "2026-04-14T14:29:17.309Z",
    "type": "cve",
    "title": "CVE-2026-23781",
    "source": "mitre",
    "references": "https://www.bmc.com/support/resources/issue-defect-management.html\nhttps://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/",
    "id": "CVE-2026-23781",
    "bulletinFamily": "",
    "cwe": [
        "CWE-798"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Control-M/MFT",
    "version": "9.0.20, 9.0.21, 9.0.22",
    "vendor": "BMC",
    "ai_description": "Hardcoded default debug user credentials in cleartext allow unauthorized access to the MFT API debug interface.",
    "ai_severity": "Critical",
    "ai_vendor": "BMC",
    "ai_product": "Control-M/MFT",
    "ai_version": "9.0.20, 9.0.21, 9.0.22",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply