Description
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.
Published: 2026-06-22
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A static credential was embedded in the FlashCopy Manager authentication workflow of IBM Storage Protect Client and Snapshot For Windows. The hardcoded credential is immutable and the authentication logic does not correctly validate responses, allowing an unauthenticated user to forge credentials and gain a trusted session. This flaw can be used to impersonate legitimate clients and access protected services and data.

Affected Systems

IBM Storage Protect Client versions 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows versions 8.1.0.0 through 8.2.1.0 are affected. IBM has released an iFix for Windows (8.2.1.1) that removes the hardcoded credential; other platforms (AIX, HP‑UX, Linux, Macintosh, and Solaris) still contain the credential but it is not actively used and will be addressed in an upcoming release.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS data is not available, so the likelihood of exploitation remains unknown. The vulnerability is not listed in CISA KEV, suggesting no known large‑scale exploitation. Remote attackers can exploit the flaw over the network by sending authentication requests with the hardcoded credential, leading to unauthorized system access. The attack requires only network connectivity and does not involve local privilege escalation.

Generated by OpenCVE AI on June 22, 2026 at 16:32 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now. ProductFixing levelPlatformsLink to fix and instructionsIBM Storage Protect Backup-Archive Client8.2.1.1Windows  https://www.ibm.com/support/pages/node/7267111 Currently, the vulnerability has been addressed on the Windows platform through an iFix release. A hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release. For other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.

Vendor Workaround

The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.

OpenCVE Recommended Actions

  • Apply the IBM iFix release (IBM Storage Protect Backup‑Archive Client 8.2.1.1) to eliminate the hardcoded credential on Windows platforms.
  • Upgrade all IBM Storage Protect Snapshot For Windows installations to the fixed version as soon as possible.
  • For AIX, HP‑UX, Linux, Macintosh, and Solaris platforms, monitor the situation and apply temporary containment controls such as network segmentation until the official patch is released.
  • Remain alert for future releases that remove the hardcoded credential from all platforms.

Generated by OpenCVE AI on June 22, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.
Title Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system
First Time appeared Ibm
Ibm storage Protect Client
Ibm storage Protect Snapshot For Windows
Weaknesses CWE-798
CPEs cpe:2.3:a:ibm:storage_protect_client:8.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:storage_protect_client:8.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.2.1.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm storage Protect Client
Ibm storage Protect Snapshot For Windows
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ibm Storage Protect Client Storage Protect Snapshot For Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T13:43:33.351Z

Reserved: 2026-06-18T15:18:16.795Z

Link: CVE-2026-12628

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:45:16Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials