Important Security Update for Control-M/Agent
8 September 2025
BMC is providing an advance notice that a set of CVEs that affect Control-M/Agents will be published. These CVEs are specific to self-hosted environments and do not impact Control-M SaaS Agents.
This Technical Bulletin strongly recommends that you enable SSL/TLS for communication between Control-M/Agents and Control-M/Servers. SSL/TLS is the industry standard for secure communication and has been fully supported in Control-M for many years.
Even though Control-M components are often deployed within company firewalls and security perimeters, a non-TLS configuration leaves communication vulnerable to interception and tampering. Two common risk scenarios include the following:
- External Breach: A third party penetrates the company’s network and gains access to communication between Control-M/Servers and Agents.
- Insider Threat: Someone with legitimate access compromises confidentiality, integrity, or availability.
For comprehensive details on the upcoming disclosure, including the applicability of CVEs, potential impact, and recommended best practices for mitigation, see KA 000442099.
Advisory Timeline
| Date | Action |
| 10 September 2025 | Advance Customer Notification (this Technical Bulletin) |
| 16 September 2025 | Planned public CVE Disclosure (via MITRE/NVD) |
| November 2025 | Planned public disclosure of a specific CVE related to enabling SSL/TLS |