Control-M/Agent is affected by CVE-2025-55110 : hardcoded default keystore password

Knowledge Article

Control-M/Agent is affected by CVE-2025-55110 : hardcoded default keystore password
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent ; version 9.0.22 and lower ; Unix/Linux, Windows

CVE-2025-55110

Control-M/Agent hardcoded default keystore password

Severity: Medium (5.5)

Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented.

An attacker with read access to the keystore could access sensitive data using this password.
CVE-2025-55110

  1. Determine which Control-M/Agents use SSL/TLS communication with Control-M/Server:

    1. Open the Control-M Configuration Manager (CCM)
    2. If the SSL column is not currently showing, right click on any column header and select "Column chooser"
    3. From the Column chooser dialog, drag the "SSL" column into the columns view.
    4. Select each Control-M/Server in the tree on the left to view the Control-M/Agents in the middle pane
    5. In the "Type" column header, set the filter to "Control-M Agent"
    6. Sort by the SSL column and any Agents with SSL set to "Enabled" will need to be handled below
    7. To create a file with this list of Agents, select the dropdown on the top left next to Home, then select Exports List

    If SSL/TLS is not used, then the Agent is not affected by this CVE and nothing further is needed.

  2. If SSL/TLS is enabled, determine the Control-M/Agent keystore name and file type on each Agent.

    • UNIX/Linux:
      grep -i keyfile $CONTROLM/data/SSL/cert/site.plc
    • Windows:
      reg query "HKLM\SOFTWARE\BMC Software\Control-M/Agent" /v keyfile /s
    If the "keyfile" points to a KDB file (e.g. agkey.kdb), then the keystore type is KDB. Go to the next step, regarding KDB keystores.
    If the "keyfile" points to a PKCS#12 file (.pfx or .p12), then skip the step regarding KDB keystores and continue with the one regarding PKCS#12 keystores.

  3. For Control-M/Agents that utilize the KDB keystore type, deploy a PKCS#12 keystore by following the procedure described in the documentation.

    NOTE: In step 7 in the below documentation, this only needs to be applied on the Agents using SSL/TLS, not for Control-M/Enterprise Manager or Control-M/Server.
    https://documents.bmc.com/supportu/9.0.22/en-US/Documentation/Zone_2_and_3_SSL_configuration.htm

    Additional Information describing the process: https://youtu.be/3Jz-to-0e50?si=4nIJbPKpveouPTe0

  4. For any PKCS#12 keystore, check the password to see if it is currently using a default password.

    • On each Agent, run:
      <JAVA_HOME>/bin/keytool -list -keystore "<path to keystore file>" -storepass abcd1234
    • If the output is "keytool error: java.io.IOException: keystore password was incorrect", then the keystore is not using the default password and this Agent is not affected.
    • If the output displays the keystore details, then it is using a default password.
  5. Change the keystore password to a secure password if a default password is being used.
    Note: Please be careful if using special characters in your shell. Certain special characters can be interpreted by the shell and will need to be escaped.
    Consult a system administrator if you need help with special characters.
    Consult your security administrators for password security guidelines.
    1. Back up the current keystore file.
    2. Run the following command to change the password of the keystore:
      <JAVA_HOME>/bin/keytool -storepasswd -keystore "<keystore file name>" -storepass abcd1234 -new <new password>

    3. Do the following to configure Control-M with the new password:

      • Control-M/Agent version 9.0.21 and 9.0.22:
        To encrypt and store the <new password> into the local Agent password repository, run the following command:
        ctmpwd -ACTION UPDATE -USER "*SSL_KEYSTORE" -PASSWORD "<new password>" -VERIFY N
      • Control-M/Agent version 9.0.20.X:
        Use the ctmkeytool utility to configure the Agent with the new password:
        <Agent Home>/exe/ctmkeytool -keystore <p12 keystore file with its full path> -password <keystore password> -passwkey <name of file containing the password encryption key, with its full path>
        https://documents.bmc.com/supportu/9.0.22/en-US/Documentation/Zone_2_and_3_SSL_configuration.htm#ConfiguringSSLinZone2and3
  6. You may verify the password was changed by re-running the "keytool -list" command from above.
  7. Restart the Agent to verify the changes.
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent ; version 9.0.22 and lower ; Unix/Linux, Windows
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent for UNIX and Microsoft Windows
Control-M/Agent ; version 9.0.22 and lower ; Unix/Linux, Windows
Attachment(s):