Why CVE-2026-12628 should be treated as Critical, and what defenders should restrict now.
IBM has published CVE-2026-12628 for IBM Storage Protect Snapshot for Windows. The bulletin describes a hardcoded credential in the FlashCopy Manager authentication mechanism, combined with improper validation of authentication responses. IBM also states that the issue may allow a remote unauthenticated attacker to bypass authentication, establish a trusted session, and access protected services.
IBM has also published a Windows fix in the 8.2.1.1 iFix. That is important, and customers running affected configurations should apply it. But this should not be treated as “just” an 8.1.
WHY ITS SERIOUS
The exploit is seventy six bytes. It does not contain user name or the password, and it does not need to.
There is a password. It is called BUBBLEGUM, because apparently enterprise recovery software sometimes comes with jokes pre-installed. But the password is not even the worst part. The check that should validate it does not validate. The comparison result is discarded, the length is not properly initialized, and one side of the comparison is not populated from the wire.
Any one of those defects opens the door.
All three together mean the door was never built.
What You should do now
Apply IBM’s 8.2.1.1 Windows iFix where applicable. Then restrict network access to IBM Storage Protect Client Acceptor / dsmcad and FlashCopy Manager service exposure. In particular, review and restrict TCP 1580, the default listener used by dsmcad / the affected service path in this configuration. This should not be reachable from general server networks, workstation networks, user VLANs, or broad internal ranges.
Inventory Windows hosts running IBM Storage Protect Snapshot / FlashCopy Manager. Identify systems using FlashCopy Manager / Standalone mode, especially configurations containing TCPServeraddress FLASHCOPYMANAGER. Patch those systems, restrict inbound access to the smallest required backup and management scope, and review proxy or trust-state configuration for unexpected entries.
What comes next
I will be releasing a full technical research paper on BUBBLEGUM covering the root cause, architecture, tested scope, affected configurations, IOC and more.
The public message is simple: if you run IBM Storage Protect Snapshot / FlashCopy Manager on Windows, patch it, find exposed dsmcad / FlashCopy Manager services, restrict port 1580, and treat this as a Critical recovery-layer trust failure. The password was real. The check was not.
