Hardcoded Secrets Enable Authentication Bypass in Open-Source Infrastructure (RustFS and Open5GS WebUI)
Two critical hardcoded-secret weaknesses were disclosed in widely used open-source infrastructure components, enabling attackers to bypass authentication and obtain administrative control when exposed or left at insecure defaults. In RustFS (an object storage platform often used for backups, logs, and operational data), CVE-2025-68926 (CVSS 9.8) stems from a non-rotatable static authentication token embedded in source code on both client and server sides; an attacker with access to the exposed gRPC management port can use the known token to bypass authentication and gain admin access, creating risk of data integrity loss and service disruption.
In Open5GS (an open-source 5G core implementation), CVE-2026-0622 affects the optional WebUI management interface and arises from default hardcoded cryptographic secrets used for JWT signing. If operators do not change the default environment variables (reportedly set to change-me), an attacker can forge valid JWTs, impersonate an administrator, and gain full WebUI privileges—potentially including configuration and subscriber-data management—while also bypassing controls that rely on authenticated context (e.g., CSRF protections).
Timeline
Jan 22, 2026
Public reporting details CVE-2025-68926 in RustFS
A report disclosed CVE-2025-68926, a critical RustFS authentication bypass caused by a hardcoded static token in client and server code. The report also stated that 252 RustFS instances were identifiable and accessible on the public internet, with concentrations in China and Thailand.
Jan 22, 2026
Public reporting details CVE-2026-0622 in Open5GS WebUI
A report disclosed CVE-2026-0622, a critical Open5GS WebUI vulnerability caused by the publicly known default JWT signing secret "change-me." The issue, reported by Andrew Fasano of NIST’s Center for AI Standards & Innovation, could allow forged admin tokens, full administrative access, and exposure or modification of subscriber and configuration data.
Dec 30, 2025
RustFS releases 1.0.0-alpha.78 to fix hardcoded token flaw
RustFS released version 1.0.0-alpha.78 to fix a critical authentication bypass caused by a hardcoded, non-rotatable static token embedded in client and server code. The flaw could let attackers reaching the gRPC management port gain administrative access.
Jul 1, 2025
Open5GS fixes hardcoded WebUI secret in v2.7.6
Open5GS released version 2.7.6, which removed reliance on the default hardcoded WebUI JWT secret by introducing a self-contained .env file for the Next.js environment. This addressed the issue later tracked as CVE-2026-0622.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Hardcoded Credential Vulnerability in RustFS Storage Clusters
A critical vulnerability, tracked as CVE-2025-68926, was discovered in the RustFS distributed object storage system. The flaw involves the use of a hardcoded static token (`"rustfs rpc"`) for gRPC authentication, which is publicly exposed in the source code and is non-configurable, with no mechanism for token rotation. This token is valid across all RustFS deployments prior to version 1.0.0-alpha.77, allowing any attacker with network access to the gRPC port to authenticate and perform privileged operations such as data destruction, policy manipulation, and cluster configuration changes. The issue has been addressed in version 1.0.0-alpha.77, which removes the hardcoded credential and implements proper authentication controls. Security researchers have rated this vulnerability as critical, assigning it a CVSS score of 9.8 due to the ease of exploitation and the potential impact on data integrity and availability. Organizations using affected versions of RustFS are strongly advised to upgrade to the patched release immediately to mitigate the risk of unauthorized access and potential compromise of storage clusters. No evidence of exploitation in the wild has been reported as of the latest advisories, but the public nature of the token significantly increases the risk of opportunistic attacks.
1 months ago
Critical Hard-Coded JWT Secret Vulnerability in Moxa Network Security Appliances (CVE-2025-6950)
A critical security vulnerability, tracked as CVE-2025-6950, has been identified in Moxa network security appliances and routers, allowing unauthenticated attackers to gain administrative access via a hard-coded JWT secret. The flaw, which carries a CVSS score of 9.9, stems from the use of a hard-coded secret key for signing JSON Web Tokens (JWT) used in the authentication process. This insecure implementation enables attackers to forge valid JWTs without any prior authentication, effectively bypassing all access controls. As a result, an attacker can impersonate any user, including administrators, and obtain full control over the affected device. Exploitation of this vulnerability can lead to unauthorized access, data theft, and complete system compromise. The vulnerability is remotely exploitable, significantly increasing the risk to organizations deploying these devices in critical network environments. According to the available reports, there is no evidence that exploitation of this flaw leads to loss of confidentiality or integrity in systems beyond the affected device itself. The vulnerability was disclosed by Moxa’s Product Security Incident Response Team (PSIRT) and has been publicly documented in multiple security advisories. Security researchers emphasize the severity of the issue due to the ease of exploitation and the potential impact on industrial and enterprise networks. The affected products include a range of Moxa network security appliances and routers, though specific model versions have not been detailed in the public advisories. Organizations using these devices are urged to review their deployments and apply any available patches or mitigations as soon as possible. The vulnerability was published and last updated on October 17, 2025, highlighting the need for immediate attention from network administrators. The flaw is distinct from other recent privilege escalation vulnerabilities in Moxa products, as it allows for unauthenticated, rather than authenticated, administrative takeover. Security experts recommend monitoring for signs of unauthorized access and reviewing authentication logs for suspicious activity. The use of hard-coded credentials is a well-known security anti-pattern, and this incident underscores the importance of secure key management in authentication systems. Moxa has been notified and is expected to release further guidance and remediation steps. Until patches are available, organizations should consider network segmentation and access restrictions to limit exposure. The incident has raised concerns about the security of industrial control systems and the potential for similar flaws in other embedded network devices. The vulnerability’s critical rating and remote exploitability make it a high-priority issue for all organizations relying on Moxa network security appliances.
1 months ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago