CVE-2026-23781 -- CVSS 9.8 Vulnerability Briefing
CVE-2026-23781 | CVSS 9.8 (Critical) | Exploit: No known exploit
What Is It
CVE-2026-23781 is a hardcoded credentials vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22, a managed file transfer component of the BMC Control-M workload automation platform.
Technical Detail
The application package contains a set of default debug user credentials stored in cleartext, meaning any party with access to the package or its configuration files can recover them without any cryptographic effort. An attacker who obtains these credentials, whether through package inspection, insider access, or file system exposure, can authenticate to the application as a privileged debug user without any additional exploitation steps. Depending on the permissions associated with the debug account, this could result in unauthorized access to managed file transfer operations, sensitive data in transit, and potentially lateral movement within environments where Control-M/MFT is integrated with broader enterprise workflows. The CVSS score of 9.8 reflects the low attack complexity and the absence of any authentication prerequisite for exploitation once credentials are known.
Exploitation Status
No known exploit code has been publicly observed or confirmed at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, the nature of hardcoded cleartext credentials means that exploitation requires no specialized tooling; any actor who identifies the credentials through package analysis or disclosure can immediately leverage them. The practical barrier to exploitation is low even in the absence of a formal exploit.
Who Is Targeting This
No specific threat actor attribution has been confirmed at this time. BMC Control-M is widely deployed in enterprise and financial sector environments, which historically attract interest from both financially motivated actors and espionage-oriented groups, but no campaigns or actors have been linked to this specific vulnerability as of the date of this briefing.
What To Do
Organizations running BMC Control-M/MFT versions 9.0.20 through 9.0.22 should apply vendor-supplied patches immediately given the critical severity rating and the trivial exploitation path. As an interim measure, administrators should audit the application package and configuration files to identify and manually disable or change any default debug user accounts before a patch can be applied. Network access to the Control-M/MFT management interface should be restricted to trusted hosts and administrative networks only. Audit logs should be reviewed for any authentication events associated with debug or default account names. Confirm with BMC whether a fixed version is available and prioritize deployment in environments where Control-M/MFT handles sensitive or regulated data transfers.