A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-10539 is a critical command injection vulnerability in BMC Control-M/Server that allows unauthenticated attackers to execute arbitrary commands through insufficient input validation in server communication handlers. This vulnerability carries a CVSS score of 9.0, reflecting its severe impact potential. Organizations running Control-M/Server versions 9.0.20.x through 9.0.21.200 are immediately at risk, as are those on earlier unsupported versions. Control-M is widely deployed in enterprise environments for job scheduling and workflow automation, making this vulnerability particularly dangerous—successful exploitation could grant attackers complete server compromise and lateral movement capabilities within critical infrastructure and financial systems.
While this CVE currently has zero matching Casky skills, the underlying attack pattern falls within command injection and input validation bypass categories that Casky's extended reasoning capabilities would identify through behavioral analysis. When deployed, Casky's Claude-powered engine would detect exploitation attempts by analyzing anomalous communication patterns to Control-M/Server, identifying malformed input sequences that bypass sanitization filters, and flagging suspicious command execution chains initiated through unauthenticated channels. Practitioners using Casky would observe findings correlating raw network traffic patterns, abnormal process execution from Control-M processes, and command-line argument structures indicative of injection payloads—providing the behavioral forensics needed to confirm compromise even when traditional signature-based detection fails. Organizations should prioritize immediate patching and implement network segmentation around Control-M infrastructure while monitoring for exploitation indicators.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-10539. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation