An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
CVE-2026-23781
NONE
EPSS 0.07%
Updated Apr 10, 2026
BMC
CVE Details
CVE ID
CVE-2026-23781
Published Date
Apr 10, 2026
Vendor
BMC
Severity
NONE
Exploit Prediction (EPSS)
Probability of Exploit
0.07%
Likelihood of exploitation in next 30 days
Percentile:
20.0th percentile (higher than 20.0% of all CVEs)
Standard patching cycle
Impact
Minimal impact
Source
View Advisory