CVE-2026-10538 in Control-Minfo

Summary

by MITRE • 07/01/2026

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability exists within the messaging consumer functionality of Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier releases that are no longer supported. The flaw stems from insufficient restrictions on object types during deserialization processes, creating a dangerous condition where user-controlled data can be processed without proper validation. The vulnerability is particularly concerning because it affects authenticated attackers who can leverage this weakness to execute unintended server-side behavior through carefully crafted serialized content. This represents a critical security gap that allows for potential remote code execution or arbitrary command execution on the affected systems.

The technical implementation of this vulnerability falls under CWE-502 which specifically addresses Deserialization of Untrusted Data, a well-documented weakness in software security practices. When the messaging consumer processes serialized objects, it fails to validate or restrict the types of objects that can be deserialized, allowing an attacker to inject malicious object types that can trigger unintended system behavior. This pattern is consistent with common deserialization attack vectors where attackers craft serialized data containing malicious payloads that execute when the system attempts to deserialize the content.

The operational impact of this vulnerability extends beyond simple privilege escalation or denial of service scenarios. An authenticated attacker could potentially leverage this weakness to gain unauthorized access to sensitive system resources, execute arbitrary code on the server, or manipulate workflow processes within the Control-M environment. The fact that this affects out-of-support versions compounds the risk as organizations may not have access to official patches or security updates, leaving them vulnerable to exploitation without remediation options.

Organizations should immediately implement network segmentation to limit access to Control-M systems and restrict authentication to only trusted users and systems. The recommended mitigation strategy includes disabling unnecessary messaging consumer functionality where possible, implementing strict object type validation for all deserialization operations, and conducting thorough security assessments of all serialized data processing components. Additionally, organizations should consider migrating to supported versions of the software that include proper deserialization safeguards and regular security updates as outlined in the mitre ATT&CK framework's defense-in-depth principles.

Responsible

Airbus

Reservation

06/01/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!