cbcvebase.
CVE-2026-23781
published 2026-04-10

CVE-2026-23781: An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application…

PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.28%
20.1th percentile
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
bmccontrol-m_managed_file_transfer9.0.20 – 9.0.22

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.