CVE-2025-68926
published 2025-12-30CVE-2025-68926: RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.03%
97.9th percentile
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rustfs | rustfs | < 1.0.0-alpha.78 | 1.0.0-alpha.78 |
| rustfs | rustfs | — | — |
| rustfs | rustfs | >= 1.0.0-alpha.13 < 1.0.0-alpha.78 | 1.0.0-alpha.78 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of the hardcoded gRPC authentication token 'rustfs rpc' in network traffic to the RustFS gRPC port; any request bearing this token should be treated as potentially malicious or unauthorized. ↗
- →Flag RustFS deployments running versions prior to 1.0.0-alpha.78 by extracting the version string from gRPC responses using the regex pattern (\d+\.\d+\.\d+-alpha\.\d+).
- →Use DSL matcher to identify vulnerable RustFS instances by checking responses for 'alpha' version strings or the fallback indicator 'grpc-auth-bypass'.
- ·The hardcoded token is non-configurable and universally valid across ALL RustFS deployments prior to 1.0.0-alpha.78 — there is no per-deployment variation or rotation mechanism, meaning the single token 'rustfs rpc' is valid everywhere. ↗
- ·The fix is present only in version 1.0.0-alpha.78 and later; all prior alpha versions are vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
RustFS has a gRPC Hardcoded Token Authentication Bypass
ghsa·2025-12-30
CVE-2025-68926 [CRITICAL] CWE-287 RustFS has a gRPC Hardcoded Token Authentication Bypass
RustFS has a gRPC Hardcoded Token Authentication Bypass
## Vulnerability Overview
### Description
RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is:
1. **Publicly exposed** in the source code repository
2. **Hardcoded** on both client and server sides
3. **Non-configurable** with no mechanism for token rotation
4. **Universally valid** across all RustFS deployments
Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.
### CVSS 3.1 Score
**Score**: 9.8 (Critical)
**Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- **Attack Vector (AV)**: Network - Exploitable remotely
- **A
OSV
RustFS has a gRPC Hardcoded Token Authentication Bypass
osv·2025-12-30
CVE-2025-68926 [CRITICAL] RustFS has a gRPC Hardcoded Token Authentication Bypass
RustFS has a gRPC Hardcoded Token Authentication Bypass
## Vulnerability Overview
### Description
RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is:
1. **Publicly exposed** in the source code repository
2. **Hardcoded** on both client and server sides
3. **Non-configurable** with no mechanism for token rotation
4. **Universally valid** across all RustFS deployments
Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.
### CVSS 3.1 Score
**Score**: 9.8 (Critical)
**Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- **Attack Vector (AV)**: Network - Exploitable remotely
- **A
No detection rules found.
Nuclei
RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token
nuclei·CVSS 9.8
CVE-2025-68926 [CRITICAL] RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token
RustFS 5:
m = re.search(rb'(\d+\.\d+\.\d+-alpha\.\d+)', body)
print(m.group(1).decode() if m else 'grpc-auth-bypass')
matchers:
- type: dsl
dsl:
- 'contains(response, "alpha") || contains(response, "grpc-auth-bypass")'
extractors:
- type: regex
name: version
regex:
- "(\\d+\\.\\d+\\.\\d+-alpha\\.\\d+|grpc-auth-bypass)"
# digest: 4a0a00473045022015cbdaff0a72de87b3a5238a9133b95eac29d3445d27d1deb3b696b71739d4540221009846fa120f8cff6e1279f73606d6598fa0047298a7f9f01f29663ac5a6795925:2592222ea8b5b5922b8de61fd7ebe9f8
2025-12-30
Published