{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12628", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-06-18T15:18:16.795Z", "datePublished": "2026-06-22T13:43:33.351Z", "dateUpdated": "2026-06-25T13:46:45.963Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-23T18:52:31.455Z"}, "title": "Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Storage Protect Client", "versions": [{"status": "affected", "version": "8.1.0.0", "lessThanOrEqual": "8.2.1.0", "versionType": "semver"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:ibm:storage_protect_client:8.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:storage_protect_client:8.2.1.0:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Storage Protect Snapshot For Windows", "versions": [{"status": "affected", "version": "8.1.0.0", "lessThanOrEqual": "8.2.1.0", "versionType": "semver"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.2.1.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7277245", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "workarounds": [{"lang": "en", "value": "The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.</div>"}]}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now.\n\nProductFixing levelPlatformsLink to fix and instructionsIBM Storage Protect Backup-Archive Client8.2.1.1Windows\u00a0 https://www.ibm.com/support/pages/node/7267111 \n\n\n\nCurrently, the vulnerability has been addressed on the Windows platform through an iFix release.\n\n\n\n\n\nA hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.\n\n\n\nFor other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now.</p><div><table><tbody><tr><td>Product</td><td>Fixing level</td><td>Platforms</td><td>Link to fix and instructions</td></tr><tr><td>IBM Storage Protect Backup-Archive Client</td><td>8.2.1.1</td><td>Windows&nbsp;</td><td><a href=\"https://www.ibm.com/support/pages/node/7267111\" rel=\"nofollow\">https://www.ibm.com/support/pages/node/7267111</a></td></tr></tbody></table></div><div></div><div>Currently, the vulnerability has been addressed on the Windows platform through an iFix release.</div><div></div><div><div><p>A hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.</p><p>For other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.</p></div></div><p></p>"}]}], "credits": [{"lang": "en", "value": "The vulnerability was reported to IBM by P\u00e9tur Ey\u00fe\u00f3rsson and Cristie Nordic.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T03:55:26.275060Z", "id": "CVE-2026-12628", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T13:46:45.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-25T03:55:26.275060Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:05:28.287Z"}}], "cna": {"title": "Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "The vulnerability was reported to IBM by P\u00e9tur Ey\u00fe\u00f3rsson and Cristie Nordic."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:storage_protect_client:8.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:storage_protect_client:8.2.1.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Storage Protect Client", "versions": [{"status": "affected", "version": "8.1.0.0", "versionType": "semver", "lessThanOrEqual": "8.2.1.0"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.2.1.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Storage Protect Snapshot For Windows", "versions": [{"status": "affected", "version": "8.1.0.0", "versionType": "semver", "lessThanOrEqual": "8.2.1.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now.\n\nProductFixing levelPlatformsLink to fix and instructionsIBM Storage Protect Backup-Archive Client8.2.1.1Windows\u00a0 https://www.ibm.com/support/pages/node/7267111 \n\n\n\nCurrently, the vulnerability has been addressed on the Windows platform through an iFix release.\n\n\n\n\n\nA hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.\n\n\n\nFor other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now.</p><div><table><tbody><tr><td>Product</td><td>Fixing level</td><td>Platforms</td><td>Link to fix and instructions</td></tr><tr><td>IBM Storage Protect Backup-Archive Client</td><td>8.2.1.1</td><td>Windows&nbsp;</td><td><a href=\"https://www.ibm.com/support/pages/node/7267111\" rel=\"nofollow\">https://www.ibm.com/support/pages/node/7267111</a></td></tr></tbody></table></div><div></div><div>Currently, the vulnerability has been addressed on the Windows platform through an iFix release.</div><div></div><div><div><p>A hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.</p><p>For other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.</p></div></div><p></p>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7277245", "tags": ["vendor-advisory", "patch"]}], "workarounds": [{"lang": "en", "value": "The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.", "supportingMedia": [{"type": "text/html", "value": "<div>The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.</div>", "base64": false}]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-23T18:52:31.455Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12628", "state": "PUBLISHED", "dateUpdated": "2026-06-25T13:46:45.963Z", "dateReserved": "2026-06-18T15:18:16.795Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-06-22T13:43:33.351Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0.0,8.2.1.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Storage Protect Client", "source": "cna", "vendor": "IBM"}, "product": "storage_protect_client", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0.0,8.2.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Storage Protect Snapshot For Windows", "source": "cna", "vendor": "IBM"}, "product": "storage_protect_snapshot_for_windows", "vendor": "ibm"}], "created": "2026-06-22T16:45:16.263604+00:00", "updated": "2026-06-24T10:45:03.165599+00:00", "vendors": ["ibm", "ibm$PRODUCT$storage_protect_client", "ibm$PRODUCT$storage_protect_snapshot_for_windows"]}