BmcCVEs & Vulnerabilities

72 CVEs affecting Bmc products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

track-it\! 35patrol agent 24bladelogic server automation console 23remedy action request system 12remedy mid-tier 7control-m\/agent 7performance analysis for servers 5control-m 5
CVE-2025-55117MEDIUM

A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".

16 Sep 2025
5.3
CVSS
CVE-2025-55116HIGH

A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.

16 Sep 2025
8.8
CVSS
CVE-2025-55115HIGH

A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.

16 Sep 2025
8.8
CVSS
CVE-2025-55113CRITICAL

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.

16 Sep 2025
10.0
CVSS
CVE-2025-55112HIGH

Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.

16 Sep 2025
7.4
CVSS
CVE-2025-55111MEDIUM

Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.

16 Sep 2025
5.5
CVSS
CVE-2025-55109CRITICAL

An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent. The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired. In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication.

16 Sep 2025
9.0
CVSS
CVE-2025-48709HIGH

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

7 Aug 2025
7.8
CVSS
CVE-2024-34398MEDIUM

An issue was discovered in BMC Remedy Mid Tier 7.6.04. The web application allows stored HTML Injection by authenticated remote attackers.

12 Mar 2025
4.2
CVSS
CVE-2024-34399CRITICAL

**UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only.

18 Sep 2024
9.8
CVSS
CVE-2021-35002HIGH

BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of email attachments. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14122.

8 May 2024
8.8
CVSS
CVE-2021-35001MEDIUM

BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetData endpoint. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-14527.

8 May 2024
6.5
CVSS
CVE-2024-1606MEDIUM

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.

18 Mar 2024
5.4
CVSS
CVE-2024-1605HIGH

BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

18 Mar 2024
7.8
CVSS
CVE-2024-1604MEDIUM

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

18 Mar 2024
6.8
CVSS
CVE-2020-35593HIGH

BMC PATROL Agent through 20.08.00 allows local privilege escalation via vectors involving pconfig +RESTART -host.

5 Sep 2023
7.8
CVSS
CVE-2017-9453CRITICAL

BMC Server Automation before 8.9.01 patch 1 allows Process Spawner command execution because of authentication bypass.

5 Sep 2023
9.8
CVSS
CVE-2023-39122CRITICAL

BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200).

1 Aug 2023
9.8
CVSS
CVE-2023-34258HIGH

An issue was discovered in BMC Patrol before 22.1.00. The agent's configuration can be remotely queried. This configuration contains the Patrol account password, encrypted with a default AES key. This account can then be used to achieve remote code execution.

31 May 2023
7.5
CVSS
CVE-2023-34257CRITICAL

An issue was discovered in BMC Patrol through 23.1.00. The agent's configuration can be remotely modified (and, by default, authentication is not required). Some configuration fields related to SNMP (e.g., masterAgentName or masterAgentStartLine) result in code execution when the agent is restarted. NOTE: the vendor's perspective is "These are not vulnerabilities for us as we have provided the option to implement the authentication."

31 May 2023
9.8
CVSS
CVE-2023-26550CRITICAL

A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.

25 Feb 2023
9.8
CVSS
CVE-2022-26088MEDIUM

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

11 Nov 2022
5.4
CVSS
CVE-2022-35865CRITICAL

This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-16709.

3 Aug 2022
9.8
CVSS
CVE-2022-35864MEDIUM

This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16690.

3 Aug 2022
6.5
CVSS
CVE-2022-24047CRITICAL

This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-14618.

18 Feb 2022
9.8
CVSS
CVE-2017-17678MEDIUM

BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). A DOM-based cross-site scripting vulnerability was discovered in a legacy utility.

19 May 2021
6.1
CVSS
CVE-2017-17677HIGH

BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.

19 May 2021
8.8
CVSS
CVE-2017-17675MEDIUM

BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. Remote logging can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include user names and HTTP data.

19 May 2021
5.3
CVSS
CVE-2017-17674CRITICAL

BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).

19 May 2021
9.8
CVSS
CVE-2015-5072MEDIUM

The BIRT Engine servlet in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to "navigate" to arbitrary local files via the __imageid parameter.

15 Jan 2020
6.5
CVSS
CVE-2015-5071MEDIUM

AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to "navigate" to arbitrary files via the __report parameter of the BIRT viewer servlet.

15 Jan 2020
6.5
CVSS
CVE-2019-11216MEDIUM

BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.

4 Dec 2019
6.5
CVSS
CVE-2019-17044HIGH

An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution permissions on the PatrolAgent SUID binary could allow an attacker with "patrol" privileges to elevate his/her privileges to the ones of the "root" user by specially crafting a shared library .so file that will be loaded during execution.

14 Oct 2019
7.8
CVSS
CVE-2019-17043HIGH

An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution permissions on the best1collect.exe SUID binary could allow an attacker to elevate his/her privileges to the ones of the "patrol" user by specially crafting a shared library .so file that will be loaded during execution.

14 Oct 2019
7.8
CVSS
CVE-2019-16755CRITICAL

BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability.

26 Sep 2019
9.8
CVSS
CVE-2019-1010147MEDIUM

Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.

26 Jul 2019
5.4
CVSS
CVE-2019-8352CRITICALpoc

By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network.

20 May 2019
9.8
CVSS
CVE-2018-18862HIGH

BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/.

21 Mar 2019
8.8
CVSS
CVE-2018-20735HIGHpoc

An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

17 Jan 2019
7.8
CVSS
CVE-2018-19505MEDIUM

Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user, because userdata.js in the WOI:WorkOrderConsole component allows a username substitution involving a UserData_Init call.

3 Jan 2019
6.5
CVSS
CVE-2015-9257MEDIUM

BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 hot fix 1 has persistent XSS.

24 Mar 2018
6.1
CVSS
CVE-2017-18228MEDIUM

Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey parameter in an arsys/servlet/AttachServlet request.

13 Mar 2018
5.4
CVSS
CVE-2017-18223HIGH

BMC Remedy AR System before 9.1 SP3, when Remedy AR Authentication is enabled, allows attackers to obtain administrative access.

11 Mar 2018
8.1
CVSS
CVE-2016-6599CRITICALpoc

BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.

30 Jan 2018
9.8
CVSS
CVE-2016-6598CRITICALpoc

BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.

30 Jan 2018
9.8
CVSS
CVE-2014-9514MEDIUM

Cross-site scripting (XSS) vulnerability in BMC Footprints Service Core 11.5.

28 Aug 2017
6.1
CVSS
CVE-2017-13130HIGH

mcmnm in BMC Patrol allows local users to gain privileges via a crafted libmcmclnx.so file in the current working directory, because it is setuid root and the RPATH variable begins with the .: substring.

23 Aug 2017
7.8
CVSS
CVE-2016-5063MEDIUMpoc

The RSCD agent in BMC Server Automation before 8.6 SP1 Patch 2 and 8.7 before Patch 3 on Windows might allow remote attackers to bypass authorization checks and make an RPC call via unspecified vectors.

2 May 2017
5.3
CVSS
← PrevPage 1 / 2Next →