HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12628Published Modified CNA ibm

CVE-2026-12628: Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass via hardcoded credential in IBM Storage Protect Client and IBM Storage Protect Snapshot For Windows (versions 8.1.0.0 through 8.2.1.0). A remote, unauthenticated attacker can reach the FlashCopy Manager authentication mechanism over the network and present the embedded static credential to establish a trusted session without a legitimate account. Successful exploitation gives the attacker unauthorized read and write access to protected system resources. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment IBM publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-12628 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images that bundle IBM Storage Protect components.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and applies per-environment compliance policy weighting to determine urgency and routing, directing findings to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published by IBM, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the FlashCopy Manager service over the network; the CVSS vector specifies AV:N, meaning the vulnerable component is exposed to network-accessible traffic.

  • AuthenticationNot required

    No account or credential is needed prior to exploitation; the hardcoded static credential embedded in the application itself is sufficient to establish a trusted session.

  • Victim interactionNot required

    The attack is fully remote and automated; no user action or social-engineering step is required to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is rated Low (AC:L), meaning the exploit is reliable and imposes no special race-condition, memory-layout, or environmental precondition on the attacker.

Blast Radius

  • Attacker reads protected data held by IBM Storage Protect services, including backup metadata, snapshot catalogs, and any system resources exposed through the trusted session.
  • Attacker modifies or deletes backup and snapshot configurations, potentially corrupting recovery points or redirecting backup targets.
  • Attacker impersonates a legitimate Storage Protect client, enabling persistent unauthorized access across subsequent sessions without re-exploiting the initial entry point.

How HarborGuard Handles This

Available on HarborGuard: because IBM has not yet published a fix version for CVE-2026-12628, the platform monitors the upstream advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and a PR opened against affected workloads will be triggered immediately upon fix availability. In the interim, compensating controls are recommended: apply network-policy rules to restrict inbound access to FlashCopy Manager ports to known, trusted hosts only; enforce egress filtering to limit lateral movement from a compromised session; and where operationally feasible, gate FCM-dependent features behind a network segment that requires VPN or jump-host access. These controls reduce the exposed attack surface while IBM works toward a patch.

See how HarborGuard automates this
Affected packages
  • IBM / Storage Protect Client
    ≤ 8.2.1.0
  • IBM / Storage Protect Snapshot For Windows
    ≤ 8.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References