cbcvebase.
CVE-2025-68926
published 2025-12-30

CVE-2025-68926: RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.03%
97.9th percentile
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
rustfsrustfs< 1.0.0-alpha.781.0.0-alpha.78
rustfsrustfs
rustfsrustfs>= 1.0.0-alpha.13 < 1.0.0-alpha.781.0.0-alpha.78

Detection & IOCsextracted from sources · hover to see the quote

otherrustfs rpc
  • Detect use of the hardcoded gRPC authentication token 'rustfs rpc' in network traffic to the RustFS gRPC port; any request bearing this token should be treated as potentially malicious or unauthorized.
  • Flag RustFS deployments running versions prior to 1.0.0-alpha.78 by extracting the version string from gRPC responses using the regex pattern (\d+\.\d+\.\d+-alpha\.\d+).
  • Use DSL matcher to identify vulnerable RustFS instances by checking responses for 'alpha' version strings or the fallback indicator 'grpc-auth-bypass'.
  • ·The hardcoded token is non-configurable and universally valid across ALL RustFS deployments prior to 1.0.0-alpha.78 — there is no per-deployment variation or rotation mechanism, meaning the single token 'rustfs rpc' is valid everywhere.
  • ·The fix is present only in version 1.0.0-alpha.78 and later; all prior alpha versions are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.