CVE-2026-12628
CRITICALHardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system
Title source: cnaDescription
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
patch
https://www.ibm.com/support/pages/node/7277245
Scores
CVSS v3
9.1
EPSS
0.0036
EPSS Percentile
27.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (3)
IBM/Storage Protect Client
8.1.0.0 - 8.2.1.0
IBM/Storage Protect Snapshot For Windows
8.1.0.0 - 8.2.1.0
ibm/storage_protect
8.1.0.0 - 8.2.1.1
Published
Jun 22, 2026
Tracked Since
Jun 22, 2026