CVE-2026-12628
Awaiting Analysis Awaiting Analysis - Queue
IBM Storage Protect Client Hard-Coded Credential Authentication Bypass

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: IBM Corporation

Description
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12628
EUVD
EUVD-2026-38277
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ibm storage_protect_client From 8.1.0.0 (inc) to 8.2.1.0 (inc)
ibm storage_protect_snapshot_for_windows From 8.1.0.0 (inc) to 8.2.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12628 is a vulnerability in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows that allows a remote attacker to bypass authentication.

The issue arises because the FlashCopy Manager (FCM) authentication mechanism uses a hardcoded static credential embedded in multiple authentication code paths and does not properly validate authentication responses.

This flaw enables an unauthenticated attacker to establish a trusted session, impersonate legitimate clients, and access protected system resources.

Impact Analysis

This vulnerability can have a significant impact as it allows a remote unauthenticated attacker to bypass authentication and gain SYSTEM-level access to affected IBM Storage Protect components.

An attacker exploiting this flaw can impersonate legitimate clients and potentially access unauthorized system resources, leading to high confidentiality and integrity risks.

The CVSS base score of 8.1 reflects the high severity of this vulnerability.

Mitigation Strategies

IBM has released an interim fix (iFix) for the Windows platform to address the hardcoded password vulnerability in IBM Storage Protect Snapshot for Windows.

It is recommended to apply the available fix for Windows immediately to mitigate the risk of unauthorized access.

For other platforms such as AIX, HP-UX, Linux, Macintosh, and Solaris, the hardcoded password still exists in the code but is not actively used; these instances are considered low severity and will be addressed in future releases.

Additionally, monitoring for updates and applying them as they become available is advised.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart