The Agent is exposed to this CVE-2025-55108 when either of the following conditions apply:

• The Agent is not using SSL/TLS.
• The Agent is using SSL/TLS and one or more of the following conditions apply:
  • The Agent is not using Security Level 4 (mutual authentication)
  • The Agent keystore contains certificates issued from a third party Certificate Authority
  • The Agent keystore contains extra certificates not needed for Server -> Agent communication

BMC recommends applying any changes in a test environment prior to performing them in a production environment.

Immediate Mitigation:

Until you are able to implement the below solution, BMC recommends having your network team implement measures to allow access to the Control-M/Agent's Server-to-Agent port only from authorized Control-M/Server machines

Complete Solution:

1. Upgrade Control-M/Agents to version 9.0.21.xxx or 9.0.22.
2. Ensure SSL/TLS is implemented on all Agents according to best practices.
   • In the default configuration with all Agents currently in TCP mode:
     • See article 000442271 for best practices and procedures for implementing SSL/TLS for the first time, including other corrective actions needed.
   • With some or all Agents in SSL/TLS mode:
     • See article 000442490 for procedures to update your SSL/TLS configuration with the latest best practices.