Platform
rust
Component
rustfs
Opgelost in
1.0.1
1.0.0-alpha.78
CVE-2025-68926 describes a critical authentication bypass vulnerability in RustFS. This flaw allows attackers with network access to execute privileged operations due to a hardcoded, publicly exposed authentication token. The vulnerability affects versions prior to 1.0.0-alpha.78 and has been resolved in the updated version. Immediate action is recommended to mitigate potential risks.
The impact of CVE-2025-68926 is severe. Because the authentication token is hardcoded and publicly available within the RustFS source code, any attacker who can reach the gRPC port can authenticate without credentials. This grants them privileged access, enabling them to perform actions such as data destruction, policy manipulation, and cluster configuration changes. The lack of token rotation and configurability exacerbates the risk, as the same vulnerable token is used across all RustFS deployments. This vulnerability presents a significant risk to data integrity and system availability.
CVE-2025-68926 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be high due to the ease of exploitation (publicly available token) and the potential for significant impact. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector. The vulnerability was published on 2025-12-30.
Organizations deploying RustFS in production environments, particularly those with exposed gRPC ports, are at significant risk. Shared hosting environments or deployments where RustFS is accessible from untrusted networks are especially vulnerable. Legacy configurations that haven't been updated to the latest version are also at increased risk.
• rust: Examine RustFS source code for the hardcoded token "rustfs rpc".
• linux / server: Monitor gRPC traffic (port 50051 by default) for authentication attempts using the token "rustfs rpc". Use tcpdump or wireshark to capture and analyze network packets.
• generic web: Check RustFS gRPC endpoints for unauthorized access. Use curl to attempt authentication with the known token: curl -H 'Authorization: rustfs rpc' <grpc_endpoint>.
disclosure
Exploit Status
EPSS
10.61% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-68926 is to upgrade RustFS to version 1.0.0-alpha.78 or later, which includes the fix for the hardcoded token. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the gRPC port. While a WAF or proxy cannot directly address the hardcoded token issue, they can provide an additional layer of defense by monitoring for suspicious gRPC traffic. There are no specific configuration workarounds beyond upgrading. After upgrading, confirm the fix by attempting to authenticate with the original token; it should be rejected.
Actualiseer RustFS naar versie 1.0.0-alpha.78 of hoger. Deze versie corrigeert de authenticatie kwetsbaarheid met behulp van een hardcoded token. De update verwijdert de statische token en vereist een veiligere authenticatie configuratie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-68926 is a critical vulnerability in RustFS where a hardcoded, publicly exposed token allows attackers to bypass authentication and gain privileged access.
If you are running RustFS versions prior to 1.0.0-alpha.78, you are affected by this vulnerability. Assess your deployments immediately.
Upgrade RustFS to version 1.0.0-alpha.78 or later to resolve the authentication bypass vulnerability. This is the recommended and primary mitigation.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the official RustFS project repository and release notes for the advisory and detailed information regarding the fix.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Cargo.lock-bestand en we vertellen je direct of je getroffen bent.