Request to Correct CVSS Score for CVE-2025-48709

[amarnathatbmc]

We contacted CVE Request (CVE-Request@mitre.org
) regarding an update to the CVSS score for CVE-2025-48709, and they advised us to raise the issue here, as the CVSS score in CVE-2025-48709 was originally provided by the CISA ADP.

I am writing to request a correction for the published CVSS score of CVE-2025-48709 which is published against our BMC product.

This issue was originally reported and agreed upon by both the reporter and our internal security team as Low severity. However, on the NVD listing (https://nvd.nist.gov/vuln/detail/CVE-2025-48709), it currently appears with a Critical 9.8 severity rating, which does not reflect the actual impact.

As evidence, I have attached a copy of the original report, where the CVSS v3.1 vector and calculation are documented as:

AV:L / AC:H / PR:L / UI:N / S:C / C:L / I:N / A:N
CVSS v3.1 Base Score: 2.8 (Low)
We kindly request that the CVSS score for CVE-2025-48709 be updated to correctly reflect the Low severity (2.8) rating.

Please let me know if you require any additional details or supporting documentation.

[dallison-cisa]

@amarnathatbmc ,

Thank you for your report.
I am rereading the CVE description trying to understand the problem. The issue is that the process logs contain the key information. Is your assertion that the log files are not accessible from the network and only accessible via the local machine?

[amarnathatbmc]

Hi @dallison-cisa
The process logs are only accessible via local machine and only accessible to the current-local user who has invoked the process.

Please let me know if you any further questions.

[dallison-cisa]

@amarnathatbmc
Thank you for your prompt reply. Based on your reply, I agree that the attack vector should be altered to local and that privileges required should be set to low at a minimum. But since the information in the logs could contain multiple user accounts, to include the admin account username and password, I assert that the confidentiality, integrity, and availability should remain high.

I have updated the record with CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and adjusted the SSVC assessment accordingly (automatable:no based on not being accessible from anywhere and requiring authentication). Updates to vulnrichment will be available within the hour. Updates are already present at https://cveawg.mitre.org/api/cve/CVE-2025-48709/.

[amarnathatbmc]

@dallison-cisa I would like to explain this issue in a private channel. Could you please provide me with an email address where we can continue the discussion in detail?

[amarnathatbmc]

@dallison-cisa I would like to explain this issue in a private channel. Could you please provide me with an email address or private channel where we can continue the discussion in detail?

[dallison-cisa]

@amarnathatbmc
cvd@cisa.dhs.gov

[amarnathatbmc]

Thank you @dallison-cisa . I will send an email on cvd@cisa.dhs.gov with all details

[amanion-cisa]

To update this issue, we've read the CVSS spec carefully (again) and talked to BMC and will update the Vulnrichment CVSS score to CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (3.8) as soon as the CVE Record has been updated. We requested that the CVE Record be transferred to us or updated.

Title: BMC Control-M/Server cleartext database credentials in process lists and logs

Description: BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

Date Public: 2025-08-06

Problem Types:
CWE-532 Insertion of Sensitive Information into Log File
CWE-214 Invocation of Process Using Visible Sensitive Information

References:
https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/

Acknowledgments:
Derrick Polakoff

CVSS Version 4.0:
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Base Score: 4.8
Severity: MEDIUM

CVSS Version 3.1:
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score: 3.8
Severity: LOW

SSVC 2.0.3:
Scored on: 2025-10-02 09:23
Exploitation: poc
Automatable: no
Technical Impact: partial

Control-M/Server BMC 9.0.21.300 < PACTV.9.0.21.307 affected
Control-M/Server BMC PACTV.9.0.21.307 unaffected (fixed)

[amarnathatbmc]

@amanion-cisa do we have further update/progress on this?