CVE-2026-12628 | IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM S… | CVSS 8.1 HIGH

Description

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.

Metadata

CVE ID: CVE-2026-12628
State: PUBLISHED
Assigner: ibm
Reserved: 2026-06-18 15:18 UTC
Published: 2026-06-22 13:43 UTC
Last updated: 2026-06-22 13:43 UTC
Primary CWE: CWE-798
CWE-798 Use of Hard-coded Credentials
Vendor / Product: IBM / Storage Protect Client
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products (2)

Vendor	Product	Platform	Versions
IBM	Storage Protect Client	—	8.1.0.0 ≤ 8.2.1.0
IBM	Storage Protect Snapshot For Windows	—	8.1.0.0 ≤ 8.2.1.0

Weakness (CWE)

CWE	Source	Description
CWE-798	cna	CWE-798 Use of Hard-coded Credentials

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (1)

https://www.ibm.com/support/pages/node/7277245