{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-23781", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:29:17.309Z", "dateReserved": "2026-01-16T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:52:02.482Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.bmc.com/support/resources/issue-defect-management.html"}, {"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-798", "lang": "en", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:27:56.528805Z", "id": "CVE-2026-23781", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:29:17.309Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23781", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:27:56.528805Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:28:46.129Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.bmc.com/support/resources/issue-defect-management.html"}, {"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:52:02.482Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23781", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:29:17.309Z", "dateReserved": "2026-01-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "id": "CVE-2026-23781", "lastModified": "2026-04-14T15:16:26.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T16:16:30.400", "references": [{"source": "cve@mitre.org", "url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}, {"source": "cve@mitre.org", "url": "https://www.bmc.com/support/resources/issue-defect-management.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.20,9.0.22]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "control-m", "vendor": "bmc"}], "analysis": {"en": {"generated_at": "2026-04-14T18:18:44.443035+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch Control\u2011M\u2011MFT\u2011PAAFP\u20119\u20110\u201122\u2011025 to remove hard\u2011coded credentials from the application package.", "Verify the patch by confirming that the original default debug credentials no longer work for API access.", "Limit exposure of the MFT API debug interface by configuring firewall or network segmentation rules so that only trusted hosts can reach it.", "Conduct regular audits for other default or weak credentials and enforce password changes during installation and configuration updates."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to MFT API debug interface"}, "threat_synthesis": {"affected_systems": "BMC Control\u2011M and MFT versions 9.0.20, 9.0.21, and 9.0.22 are affected by the hard\u2011coded credentials.", "description_and_impact": "A set of default debug user credentials is embedded in cleartext within BMC Control\u2011M/MFT versions 9.0.20 through 9.0.22. The presence of these credentials means that the application can be accessed without any password change until the patch is applied. This vulnerability allows an unauthenticated attacker to log into the debug interface of the MFT API. Based on the description, it is inferred that such access could potentially expose sensitive configuration data or internal logs, but the CVE does not explicitly state the extent of actions an attacker could perform beyond obtaining API access.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity, reflecting the high impact of unauthorized API access. The EPSS score is less than 1%, suggesting current exploitation is rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network access to the MFT API combined with the use of predictable default credentials, an inference drawn from the nature of the hard\u2011coded credentials described."}}}}, "created": "2026-04-13T12:51:41.483191+00:00", "title": "Hard\u2011Coded Default Debug Credentials in BMC Control\u2011M/MFT", "updated": "2026-04-15T16:00:07.795179+00:00", "vendors": ["bmc", "bmc$PRODUCT$control-m"]}