For Control-M Administrators:
The solutions below entail implementing SSL/TLS and remediating specific vulnerabilities according to the Agent version.
Deviation from these documented steps can lead to exposure to these CVEs.
Steps to resolve all of the CVEs:
- Upgrade Control-M/Agents to version 9.0.21.xxx or 9.0.22.
- Ensure the JAVA_AR parameter is set to Y.
See article 000441972 for details. - Ensure SSL/TLS is implemented on all Agents according to best practices.
- In the default configuration with all Agents currently in TCP mode:
- See article 000442271 for best practices and procedures for implementing SSL/TLS for the first time, including other corrective actions needed.
- With some or all Agents in SSL/TLS mode:
- See article 000442490 for procedures to update your SSL/TLS configuration with the latest best practices.
FAQ:
- Are there any steps to immediately lessen the impact of these CVEs?
- Until you are able to implement the recommended solution, have your network team implement firewall rules to only allow access to the Control-M/Agent's Server-to-Agent port from authorized Control-M/Server machines.
See article 000230698 for a list of ports Control-M uses.
- Is there any alternate solution for Control-M/Agents below 9.0.21?
- The only option to resolve all CVEs is to upgrade to version 9.0.21 or higher and perform the solution steps for that version.
- If I already have SSL/TLS implemented, am I affected?
- It is still possible to be affected if SSL/TLS is not implemented according to best practices (article 000442490).
- Do these CVEs affect Remote Hosts/Agentless?
- No, there is no effect on Remote Hosts/Agentless.
For Security Administrators:
| Agent Version | Applicable CVEs | CVSS Score | Applicable ONLY when |
|---|
|
9.0.22.xxx and 9.0.21.xxx
(Full Support)
| CVE-2025-55108 | 10.0 - Critical |
Pending Disclosure: Related to enabling SSL/TLS between Control-M Server and Agents (public disclosure planned in 2 months)
|
| CVE-2025-55109 | 9.0 - Critical | Using SSL/TLS between Control-M/Server and Agent with an empty or default KDB Agent keystore or a default PKCS#12 keystore |
| CVE-2025-55110 | 5.5 - Medium | Using SSL/TLS between Control-M/Server and Agent with the default keystore password |
| CVE-2025-55111 | 5.5 -Medium | Using SSL/TLS with Control-M/Agents upgraded from versions 9.0.20 or earlier |
| CVE-2025-55113 | 9.0 - Critical | Using SSL/TLS with non-default Access Control List feature and a non-default, undocumented Control-M/Agent configuration setting called JAVA_AR is set to "N" |
| CVE-2025-55117 | 5.3 - Medium | Using both of two non-default, undocumented Control-M/Agent configuration settings: one called JAVA_AR set to "N" and one called use_openssl set to "N" |
| CVE-2025-55118 | 8.9 - High |
|
9.0.20.xxx (out of support) and potentially earlier unsupported versions
| CVE-2025-55108 | 10.0 - Critical |
Pending Disclosure: Related to enabling SSL/TLS between Control-M Server and Agents (public disclosure planned in 2 months)
|
| CVE-2025-55109 | 9.0 - Critical | Using SSL/TLS between Control-M/Server and Agent with an empty or default KDB Agent keystore or a default PKCS#12 keystore |
| CVE-2025-55110 | 5.5 - Medium | Using SSL/TLS between Control-M/Server and Agent with the default keystore password |
| CVE-2025-55111 | 5.5 -Medium | Using SSL/TLS between Control-M/Server and Agent |
| CVE-2025-55112 | 7.4 - High | Using the non-default Blowfish algorithm |
| CVE-2025-55113 | 9.0 - Critical | Using SSL/TLS with non-default Access Control List feature |
| CVE-2025-55114 | 5.3 - Medium | Using SSL/TLS with non-default IP filter feature |
| CVE-2025-55115 | 8.8 - High | Using Control-M/Agent versions 9.0.20.000 and lower. Versions 9.0.20.100 and higher are not impacted. |
| CVE-2025-55116 | 8.8 - High |
| CVE-2025-55117 | 5.3 - Medium | Using SSL/TLS with a non-default configuration setting "use openssl=n" |
| CVE-2025-55118 | 8.9 - High |
Summary:
| CVE Number | Agent Version Affected? | Knowledge Article |
|---|
| | SaaS/Helix | 9.0.22 | 9.0.21 | 9.0.20.100 / 9.0.20.200 | 9.0.20.000 and lower | |
| CVE-2025-55108 | No | Yes | Yes | Yes | Yes | 000441962 |
| CVE-2025-55109 | No | Yes w/ SSL & demo cert | Yes w/ SSL & demo cert | Yes w/ SSL | Yes w/ SSL | 000441963 |
| CVE-2025-55110 | No | Yes w/ SSL | Yes w/ SSL | Yes w/ SSL | Yes w/ SSL | 000441964 |
| CVE-2025-55111 | No | Yes w/ SSL upgraded from 9.0.20 & lower | Yes w/ SSL upgraded from 9.0.20 & lower | Yes w/ SSL | Yes w/ SSL | 000441965 |
| CVE-2025-55112 | No | No | No | Yes, w/ Blowfish | Yes, w/ Blowfish | 000441966 |
| CVE-2025-55113 | No | Yes w/ SSL, ACL, JAVA_AR=N | Yes w/ SSL, ACL, JAVA_AR=N | Yes w/ SSL, ACL | Yes w/ SSL, ACL | 000441967 |
| CVE-2025-55114 | No | No | No | Yes w/ SSL & IP filter | Yes w/ SSL & IP filter | 000441968 |
| CVE-2025-55115 & CVE-2025-55116 | No | No | No | No | Yes | 000441969 |
| CVE-2025-55117 & CVE-2025-55118 | No | Yes w/ SSL, JAVA_AR=N, use_openssl=n | Yes w/ SSL, JAVA_AR=N, use_openssl=n | Yes w/ SSL & use_openssl=n | Yes w/ SSL & use_openssl=n | 000441972 |