CVE Catalog

CVE-2026-12628

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 contain a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism, allowing a remote attacker to bypass authentication and gain unauthorized access to protected services.

Risk Assessment

An attacker can impersonate legitimate clients and gain unauthorized access to system resources, potentially leading to confidentiality and integrity breaches.

Recommendation

Immediately upgrade IBM Storage Protect Client and Snapshot For Windows to a version later than 8.2.1.0, which removes the hardcoded credential.

Original NVD description (English source)

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS