CVE-2025-68926: RustFS: The 'rustfs rpc' Skeleton Key (CVE-2025-68926)

#security #cve #cybersecurity

RustFS: The 'rustfs rpc' Skeleton Key (CVE-2025-68926)

Vulnerability ID: CVE-2025-68926
CVSS Score: 9.8
Published: 2025-12-30

A critical authentication bypass in the RustFS distributed object storage system allows unauthenticated attackers to gain full administrative control by sending a specific hardcoded string in the gRPC authorization header.

TL;DR

RustFS versions prior to 1.0.0-alpha.77 contain a hardcoded gRPC authentication token ('rustfs rpc'). Attackers can use this token to bypass all authentication checks, allowing them to delete buckets, modify policies, and seize control of the storage cluster via standard gRPC tools.

⚠️ Exploit Status: POC

Technical Details

CWE: CWE-798 (Use of Hard-coded Credentials)
CVSS v3.1: 9.8 (Critical)
Attack Vector: Network (gRPC)
Privileges Required: None
Port: 9000/TCP
Token Value: "rustfs rpc"

Affected Systems

RustFS < 1.0.0-alpha.77
RustFS: < 1.0.0-alpha.77 (Fixed in: 1.0.0-alpha.77)

Exploit Details

Manual: Exploitation is trivial via any gRPC client using the header 'authorization: rustfs rpc'.

Mitigation Strategies

Upgrade RustFS immediately
Isolate Management Ports
Implement mTLS

Remediation Steps:

Upgrade: Update RustFS to version 1.0.0-alpha.77 or later immediately. This version removes the hardcoded 'check_auth' logic.
Network Defense: Ensure port 9000 (gRPC) is NOT exposed to the public internet. Use a firewall or Security Group to restrict access to trusted internal IPs only.
Verification: Attempt to run the PoC command against your upgraded instance. It should return an 'Unauthenticated' or 'Permission Denied' error without the proper dynamic credentials.