CVE-2026-12628

CRITICAL

Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system

Title source: cna
STIX 2.1

Description

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://www.ibm.com/support/pages/node/7277245

Scores

CVSS v3 9.1
EPSS 0.0036
EPSS Percentile 27.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-798
Status published
Products (3)
IBM/Storage Protect Client 8.1.0.0 - 8.2.1.0
IBM/Storage Protect Snapshot For Windows 8.1.0.0 - 8.2.1.0
ibm/storage_protect 8.1.0.0 - 8.2.1.1
Published Jun 22, 2026
Tracked Since Jun 22, 2026