Invocation of Process Using Visible Sensitive Information

CVE-2025-48709

Medium

4.8/10

Summary

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-214 - Invocation of Process Using Visible Sensitive Information

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

References

Advisory Timeline

Published Aug 07, 2025

Invocation of Process Using Visible Sensitive Information

CVE-2025-48709

Summary

CWE-214 - Invocation of Process Using Visible Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS