CVE-2026-10539 in Control-Minfo

Summary

by MITRE • 07/01/2026

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. 



This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability in Control-M/Server represents a critical command injection flaw that stems from inadequate input validation within the communication command processing mechanism. This weakness exists in the server's handling of user-supplied data, where insufficient filtering or sanitization allows malicious inputs to be interpreted as executable commands rather than benign data. The vulnerability specifically impacts versions 9.0.20.x through 9.0.21.200, with potential exposure in earlier unsupported releases, making it a widespread concern for organizations utilizing this job scheduling and automation platform.

The technical nature of this flaw aligns with CWE-74, which describes improper neutralization of special elements used in data queries, and CWE-94, which covers inadequate control of generation of code. The vulnerability enables unauthenticated attackers to exploit the communication command interface, potentially executing arbitrary commands on the target server with the privileges of the Control-M/Server process. This represents a severe privilege escalation vector that could allow attackers to gain full control over the affected system, including access to sensitive job scheduling data, automation workflows, and underlying infrastructure resources.

From an operational perspective, this vulnerability poses significant risks to enterprise environments that rely on Control-M/Server for critical job scheduling and automation tasks. The unauthenticated nature of the attack means that adversaries can exploit this weakness without requiring valid credentials, making it particularly dangerous for systems with exposed network interfaces or those accessible from untrusted networks. Successful exploitation could lead to complete system compromise, data exfiltration, disruption of automated processes, and potential lateral movement within the enterprise network.

Security mitigations for this vulnerability should prioritize immediate patching of affected Control-M/Server versions to the latest supported releases that contain the necessary input validation fixes. Organizations should also implement network segmentation to limit access to Control-M/Server components, restrict communication to trusted sources only, and enable additional authentication mechanisms where possible. The ATT&CK framework's T1059 technique for command injection directly applies to this vulnerability, while T1078 related to legitimate credentials may become relevant if attackers escalate privileges through the compromised server. Additionally, organizations should conduct comprehensive security assessments of their Control-M/Server deployments and implement monitoring for suspicious command execution patterns within their job scheduling environments.

Responsible

Airbus

Reservation

06/01/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!