CVE-2026-12628
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 contain a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism, allowing a remote attacker to bypass authentication and gain unauthorized access to protected services.
Risk Assessment
An attacker can impersonate legitimate clients and gain unauthorized access to system resources, potentially leading to confidentiality and integrity breaches.
Recommendation
Immediately upgrade IBM Storage Protect Client and Snapshot For Windows to a version later than 8.2.1.0, which removes the hardcoded credential.
Original NVD description (English source)
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.

