usd-2019-0066 | Control-M/Agent

Advisory ID: usd-2019-0066
CVE Number: CVE-2019-19218
Affected Product: Control-M/Agent
Affected Version:
Vulnerability Type: Insecure Password Storage
Security Risk: Conditional*
Vendor URL:
Vendor Status: Fixed (according to vendor)

* We consider the vulnerability to be of conditional severity as the vendor explicitly recommends to use TLS and the attacks only work when TLS is disabled. Nevertheless, as we encountered real-life configurations without TLS, we would like to highlight the increased criticality in case of a customer misconfiguration.



An Insecure Password Storage vulnerability was found in the communication between Control-M/Agent and Control-M/Server when using the TCP protocol and handling output with an unsupported action.


Apply more restrictive file permissions to files that store sensitive information.


  • 2019-10-29 Initial contact with
  • 2019-10-29 Submit additional findings to
  • 2019-12-17 Agreement on Coordinated Disclosure: Vendor schedules fix for 10th February 2020
  • 2020-03-26 Vendor agrees to disclose advisories
  • 2020-04-29 Security advisory released


This security vulnerability was found by Tobias Neitzel of usd AG.