CVE-2025-55112

Blowfish keys are hardcoded in the Control-M/Agent binary files

Severity: High (7.4)

Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.

It is necessary to verify the current encryption used with Control-M/Agent by checking for the existence of the local.key file which uses AES rather than the older Blowfish encryption if the file does not exist.

Primary Solution:

Upgrade to a fully supported version of Control-M/Agent (if not on a supported version).

BMC recommends you upgrade Control-M/Agent to the latest major version and Fix Pack available

Alternate Solution when unable to upgrade yet:

1. On each Control-M/Agent, check if Blowfish is in use by looking for the existence of the local.key file.
   • Unix/Linux:  <Agent home>/data/keys/local.key
   • Windows:   <Agent home>\DATA\keys\local.key

   If the local.key file does not exist, continue to step 2, otherwise this Agent is not affected and no additional steps are needed.

2. Shut down the Agent.
   • Unix/Linux: As the Control-M/Agent user, run the command: shut-ag
   • Windows: Stop the Control-M/Agent service from Windows services.msc
3. Run the following command as the Agent user to convert from Blowfish to AES:
   ctmagcpk
4. Verify that the local.key file now exists in the above data/keys location.
5. Start the Agent.
   • Unix/Linux: As the Control-M/Agent user, run the command: start-ag
   • Windows: Start the Control-M/Agent service from Windows services.msc