CVE-2025-48709 (GCVE-0-2025-48709)
Vulnerability from cvelistv5 – Published: 2025-08-07 00:00 – Updated: 2025-12-01 21:57
VLAI?
Summary
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BMC | Control-M/Server |
Affected:
9.0.21.300 , < PACTV.9.0.21.307
(custom)
Unaffected: PACTV.9.0.21.307 |
Credits
Derrick Polakoff
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "control-m",
"vendor": "bmc",
"versions": [
{
"lessThan": "9.0.21.300 PACTV.9.0.21.307",
"status": "affected",
"version": "9.0.21.300",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "PACTV.9.0.21.307"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:23:04.978628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T21:57:06.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Control-M/Server",
"vendor": "BMC",
"versions": [
{
"lessThan": "PACTV.9.0.21.307",
"status": "affected",
"version": "9.0.21.300",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "PACTV.9.0.21.307"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Derrick Polakoff"
}
],
"datePublic": "2025-08-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48709",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T16:23:53.246063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214 Invocation of Process Using Visible Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T21:20:49.549Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/"
}
],
"title": "BMC Control-M/Server cleartext database credentials in process lists and logs"
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48709",
"datePublished": "2025-08-07T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-12-01T21:57:06.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48709\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2025-08-07T20:15:28.117\",\"lastModified\":\"2025-12-01T22:15:48.363\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 un problema en BMC Control-M 9.0.21.300. Cuando el servidor Control-M tiene una conexi\u00f3n a la base de datos, ejecuta DBUStatus.exe con frecuencia, lo que a su vez llama a dbu_connection_details.vbs con el nombre de usuario, la contrase\u00f1a, el nombre de host de la base de datos y el puerto escritos en texto sin cifrar, lo cual se puede ver en los registros de eventos y procesos en dos ubicaciones distintas.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-214\"},{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48709\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-27T15:23:04.978628Z\"}}}, {\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*\"], \"vendor\": \"bmc\", \"product\": \"control-m\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.21.300\", \"lessThan\": \"9.0.21.300 PACTV.9.0.21.307\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"PACTV.9.0.21.307\"}], \"defaultStatus\": \"unknown\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532 Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-12T14:06:38.841Z\"}}], \"cna\": {\"title\": \"BMC Control-M/Server cleartext database credentials in process lists and logs\", \"credits\": [{\"lang\": \"en\", \"value\": \"Derrick Polakoff\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}, {\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48709\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-02T16:23:53.246063Z\"}}}], \"affected\": [{\"vendor\": \"BMC\", \"product\": \"Control-M/Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.21.300\", \"lessThan\": \"PACTV.9.0.21.307\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"PACTV.9.0.21.307\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-08-06T00:00:00.000Z\", \"references\": [{\"url\": \"https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/\", \"name\": \"url\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532 Insertion of Sensitive Information into Log File\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-214\", \"description\": \"CWE-214 Invocation of Process Using Visible Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"shortName\": \"cisa-cg\", \"dateUpdated\": \"2025-12-01T21:20:49.549Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48709\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-01T21:57:06.906Z\", \"dateReserved\": \"2025-05-23T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-08-07T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…