CVE-2025-55115 CRITICAL

CVE-2025-55115: BMC Control-M/Agent path traversal local privilege escalation

Vendor Bmc
Product Control-M/Agent
Weakness CWE-23
Published September 16, 2025
Last update February 26, 2026

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.

Key dates

02Disclosure timeline

September 16, 2025 CVE published
February 26, 2026 Record updated