Control-M/Agent 9.0.20 and lower is affected by CVE-2025-55114 : improper IP address filtering order

Knowledge Article

Article Number

000441968

Old Article Number

Article Type

Solutions to a Product Problem

Title

Control-M/Agent 9.0.20 and lower is affected by CVE-2025-55114 : improper IP address filtering order

Summary

Product

Control-M/Agent for UNIX and Microsoft Windows

Component

Control-M/Agent for UNIX and Microsoft Windows

Applies to

Control-M/Agent 9.0.20 and lower

Problem

CVE-2025-55114

Control-M/Agent improper IP address filtering order

Severity: Medium (5.3)

The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.

This CVE only applies when SSL/TLS is enabled on Agent 9.0.20 and lower and the AUTHORIZED_CTM_IP parameter is in use.
This parameter is not used by default.

Cause

CVE-2025-55114

Solution

Primary Solution:

Upgrade to a fully supported version of Control-M/Agent (if not on a supported version).
BMC recommends you upgrade Control-M/Agent to the latest major version and Fix Pack available

Alternate Solution when unable to upgrade yet:

Determine which Agents are using SSL/TLS.
1. Open the Control-M Configuration Manager (CCM)
2. If the SSL column is not currently showing, right click on any column header and select "Column chooser"
3. From the Column chooser dialog, drag the "SSL" column into the columns view.
4. Select each Control-M/Server in the tree on the left to view the Control-M/Agents in the middle pane
5. In the "Type" column header, set the filter to "Control-M Agent"
6. Sort by the SSL column and any Agents with SSL set to "Enabled" will need to be handled below
7. To create a file with this list of Agents, select the dropdown on the top left next to Home, then select Exports List
On each Agent using SSL/TLS, run the following command to determine which Agents have the parameter AUTHORIZED_CTM_IP:
- Windows:
  reg query "HKLM\SOFTWARE\BMC Software\Control-M/Agent" /v AUTHORIZED_CTM_IP /s
- UNIX/Linux:
  grep AUTHORIZED_CTM_IP "$CONTROLM/data/CONFIG.dat"
- If the above commands do not return a result, then this Agent is not affected and no further action is needed.
  Otherwise, this parameter is in use. Proceed to the next step.
- Consult with your Network Administrator to create network firewall rules to only allow access to the Server-to-Agent port from authorized Control-M/Server hosts

Attachment(s):