CVE-2026-12628 Security Advisory

Maintained by Pétur Eyþórsson, Cristie Nordic. Last updated 2026-06-29.

This page tracks CVE-2026-12628 and related IBM Storage Protect and FlashCopy Manager advisories from the same research stream, tracked internally under the research label BUBBLEGUM. It is a factual reference for what is publicly known and what to do about it. It is not a technical write-up, so there is no proof of concept, packet detail, credential strings, or unpublished mechanics for related findings. For vendor-confirmed scope and fixes, rely on the IBM bulletin, and verify current values against IBM, CVE.org, and NVD when you read this.

Status

• CVE-2026-12628 is public and fixed for Windows.
• Severity: Critical, CVSS 9.1, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
• Affected: IBM Storage Protect Client and Snapshot for Windows, 8.1.0.0 through 8.2.1.0 supported, with the underlying code present since 6.1.5.0 (see Affected versions).
• Fix: 8.2.1.1 Windows iFix.
• Related findings: reported to IBM, held pending advisories or fixes.

CVE-2026-12628

• CVE: CVE-2026-12628
• IBM bulletin: https://www.ibm.com/support/pages/node/7277245
• Severity: Critical, CVSS 9.1
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
• Products: IBM Storage Protect Client and Snapshot for Windows, FlashCopy Manager configuration
• Fix: 8.2.1.1 Windows iFix, shipped under the Backup-Archive Client fixing level
• Impact: Remote, unauthenticated access to the FlashCopy Manager authentication path. IBM describes a hardcoded credential and improper validation of authentication responses, leading to a trusted session with SYSTEM-level access.
• Acknowledgement: Pétur Eyþórsson and Cristie Nordic
• Last verified: 2026-06-29

Affected versions

IBM's bulletin lists the affected supported products as IBM Storage Protect Client and Snapshot for Windows, versions 8.1.0.0 through 8.2.1.0.

The underlying code reaches back further. The hardcoded credential and the broken authentication have been present since IBM Tivoli Storage Manager 6.1.5.0, released in November 2011, and exist in every release from 6.1.5.0 onward. Out-of-support releases are affected too. They are outside IBM's supported-version advisory but still carry the code, so treat anything from 6.1.5.0 onward as vulnerable and plan upgrades where patching is not possible.

Vulnerable configurations

Exposure depends on a combination of factors, not simply on the product being installed. Prioritise a host when all of these apply:

• it is Windows-based;
• IBM Storage Protect Snapshot or FlashCopy Manager components are installed or used;
• it uses the FlashCopy Manager or Snapshot standalone configuration (TCPServeraddress FLASHCOPYMANAGER in the client options file);
• its service listeners are reachable from networks that do not need access;
• it is not yet patched to the fixed level.

Confirmed not affected

Standard IBM Storage Protect client-server backup paths should be assessed separately from the FlashCopy Manager and Snapshot path. In testing for this research, ordinary backup traffic to a real Storage Protect server did not show the same exposure pattern. Customers not using the affected configuration are lower priority for this specific issue. Verify versions, components, and configuration rather than assuming any deployment is clear, and avoid treating a deployment as definitively unaffected unless IBM states so.

Recommended actions

1. Identify Windows systems running IBM Storage Protect Snapshot or FlashCopy Manager components.
2. Determine which use the FlashCopy Manager or Snapshot standalone configuration.
3. Verify the actual listening services on those systems rather than assuming a fixed port.
4. Patch to the 8.2.1.1 Windows iFix per IBM's instructions, under the Backup-Archive Client fixing level.
5. Restrict inbound access so the listeners are reachable only from the backup and management systems that require it.
6. Confirm that untrusted networks, workstation networks, broad server segments, and external paths cannot reach those listeners.
7. Review logs and network telemetry for unexpected access on systems that were broadly reachable before patching.
8. Monitor IBM advisories and this page for related updates.

A single fixed-port firewall rule is not sufficient on its own. Confirm the actual listeners on each host and restrict those.

Related findings

Additional related findings have been reported to IBM. Technical details, identifiers, affected scope, severity, and mechanics for the unresolved issues are not published here while IBM assessment, fixes, or advisories are pending. Public entries will be added when IBM publishes advisories, or when safe defender guidance can be released without increasing customer exposure. This page does not list unpublished internal tracking IDs, expected CVEs, weakness classifications, or chaining relationships for unresolved findings.

Disclosure

CVE-2026-12628 is the first public advisory from this research stream. The remaining findings are under IBM handling, and their technical detail is withheld temporarily for customer protection. This page is updated as public advisories, fixes, mitigations, or safe defender guidance become available.

References

• IBM security bulletin: https://www.ibm.com/support/pages/node/7277245
• CVE.org record: https://www.cve.org/CVERecord?id=CVE-2026-12628
• NVD record: https://nvd.nist.gov/vuln/detail/CVE-2026-12628
• Cristie Nordic defender guidance article: https://blog.cristienordic.com/the-password-was-real

Revision history

• 2026-06-29: Tracker created. CVE-2026-12628 listed with current public severity and fix details. Defender guidance article linked.
• 2026-06-23: IBM updated CVSS and acknowledgement for CVE-2026-12628 (CVE record).
• 2026-06-21: IBM published the CVE-2026-12628 security bulletin.