{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-23781", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:29:17.309Z", "dateReserved": "2026-01-16T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:52:02.482Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.bmc.com/support/resources/issue-defect-management.html"}, {"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-798", "lang": "en", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:27:56.528805Z", "id": "CVE-2026-23781", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:29:17.309Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23781", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:27:56.528805Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:28:46.129Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.bmc.com/support/resources/issue-defect-management.html"}, {"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:52:02.482Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23781", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:29:17.309Z", "dateReserved": "2026-01-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "id": "CVE-2026-23781", "lastModified": "2026-04-14T15:16:26.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T16:16:30.400", "references": [{"source": "cve@mitre.org", "url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/"}, {"source": "cve@mitre.org", "url": "https://www.bmc.com/support/resources/issue-defect-management.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.20,9.0.22]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "control-m", "vendor": "bmc"}], "analysis": {"en": {"generated_at": "2026-04-10T17:32:42.890103+00:00", "value": {"mitigation_remediation": ["Apply the BMC Control\u2011M/MFT patch referenced in the BMC documentation (MFT\u2011PAAFP\u20119\u20110\u201122\u2011025) for versions 9.0.20 to 9.0.22.", "Disable or remove the default debug credentials from the application package if the patch cannot be applied immediately.", "Restrict network access to the MFT API debug interface so that only trusted hosts can reach it.", "Verify that the application runtime does not expose the debug interface publicly in production environments."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access to MFT API debug interface"}, "threat_synthesis": {"affected_systems": "BMC Software\u2019s Control\u2011M/MFT runs on the affected versions 9.0.20, 9.0.21, and 9.0.22. These versions include the hardcoded debug credentials within the application package. Users deploying any of these releases without applying official updates are especially susceptible.", "description_and_impact": "A set of default debug user credentials is hardcoded in cleartext within the BMC Control\u2011M/MFT application package for versions 9.0.20 through 9.0.22. If those credentials remain unchanged, an attacker can retrieve them easily and gain unauthorized access to the MFT API debug interface, potentially exposing sensitive data or enabling further privileged actions within the system. The presence of cleartext credentials in the application binary directly exposes authentication information, representing a significant weakness that can be abused by anyone with knowledge of the default values.", "risk_and_exploitability": "The vulnerability is not listed in the KEV catalog and its EPSS score is unavailable, but the nature of the flaw\u2014cleartext hardcoded credentials that provide API access\u2014means it is exploitable by entities that can reach the debug interface, either locally or remotely over the network. The attack vector is inferred to be via the exposed API endpoint; after obtaining the credentials, an attacker can authenticate and use the debug interface as if they were a legitimate user. Given the lack of mitigation from supplied data, the risk remains high until the patch is applied."}}}}, "created": "2026-04-13T12:51:41.483191+00:00", "title": "Hardcoded Default Debug Credentials in BMC Control\u2011M/MFT 9.0.20\u20139.0.22 Permit Unauthorized API Access", "updated": "2026-04-13T13:06:24.509662+00:00", "vendors": ["bmc", "bmc$PRODUCT$control-m"], "weaknesses": ["CWE-259"]}