CVE-2025-68926

CriticalPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1061 93.3th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Description

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and…

server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management of authenticators, directly prohibiting hardcoded static tokens that are non-configurable, publicly exposed, and lack rotation mechanisms.

IA-9 Service Identification and Authentication good match

prevent

IA-9 requires identification and authentication of system services such as the gRPC interface, preventing attackers from using the publicly known token to gain privileged access.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely flaw remediation by applying patches like RustFS version 1.0.0-alpha.78, which fixes the hardcoded token vulnerability.

Security SummaryAI

RustFS, a distributed object storage system implemented in Rust, contains a critical authentication vulnerability in versions prior to 1.0.0-alpha.78, tracked as CVE-2025-68926. The issue stems from a hardcoded static token, "rustfs rpc," used for gRPC authentication. This token is publicly exposed in the source code repository, embedded on both client and server sides, non-configurable, lacks rotation mechanisms, and applies universally across all RustFS deployments. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-798 (Use of Hard-coded Credentials).

Any unauthenticated attacker with network access to the exposed gRPC port can exploit this flaw by supplying the publicly known token to authenticate and perform privileged operations. Successful exploitation enables data destruction, policy manipulation, and cluster configuration changes, potentially leading to complete compromise of the storage system.

The GitHub Security Advisory (GHSA-h956-rh7x-ppgj) confirms that RustFS version 1.0.0-alpha.78 addresses the issue with a fix, urging users to upgrade immediately to mitigate the risk.

Details

CWE(s): CWE-287 CWE-798

Affected Products

rustfs

1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hardcoded static authentication token publicly exposed enables unauthenticated remote exploitation of public-facing gRPC service (T1190) using default/hardcoded credentials (T1078.001) for privileged access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj
Exploit, Vendor Advisory · security-advisories@github.com