CVE-2026-22055: NetApp Active IQ OneCollect Hard-Coded Credentials (CVSS 8.8)
Active IQ OneCollect version 2.7.3 contains hard-coded credentials embedded in the application. An authenticated user with basic network access can exploit these credentials to perform unauthorized AutoSupport operations—potentially exfiltrating sensitive system telemetry, configuration data, or triggering unwanted support actions. The vulnerability requires an attacker to already have valid credentials to an affected system, but once authenticated, the hard-coded secrets bypass normal access controls and allow privilege escalation to perform high-impact operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-259
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-30
NVD description (verbatim)
Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-22055 is a credential storage vulnerability (CWE-259: Hard-Coded Password) in NetApp Active IQ OneCollect v2.7.3. The application embeds static credentials in its codebase or configuration, enabling authenticated network attackers to perform unauthorized AutoSupport submissions. The CVSS v3.1 score of 8.8 (HIGH) reflects the network-accessible attack vector, low privilege requirement, and high impact across confidentiality, integrity, and availability. An attacker leveraging these credentials gains elevated functional access without requiring additional authentication steps, effectively bypassing application-level authorization for AutoSupport operations.
Business impact
Unauthorized AutoSupport submissions can expose sensitive diagnostic data—including configuration details, performance metrics, and potentially credentials—to NetApp infrastructure. An attacker could also manipulate support requests to disrupt operations, trigger false escalations, or obscure legitimate support interactions. For organizations relying on Active IQ OneCollect for proactive monitoring and automated support workflows, credential compromise could undermine the integrity of the telemetry pipeline and erode confidence in automated remediation actions. Data exfiltration risk is moderate to high depending on what AutoSupport payloads contain in your environment.
Affected systems
NetApp Active IQ OneCollect version 2.7.3 is affected. Verify your installed version via the OneCollect management interface or host-level package management tools. Earlier and later versions should be tested against vendor advisories to confirm scope; 2.7.3 is the confirmed vulnerable release as of this publication. Organizations running OneCollect as a standalone collection agent or integrated with larger Active IQ management deployments are in scope.
Exploitability
Exploitability is moderate-to-high in practice. An attacker must first obtain valid network credentials (user account and password) to access the affected OneCollect instance—this is the primary barrier. Once authenticated, discovering and leveraging the hard-coded credentials requires minimal effort: the credentials are static and embedded in the application, so no runtime exploitation or memory manipulation is required. No known public exploits or KEV listing currently exist, but the low complexity of the attack and the high impact once credentials are obtained make this a prioritized target in post-compromise scenarios or insider-threat contexts.
Remediation
NetApp has likely released a patched version of Active IQ OneCollect that removes or properly encrypts the hard-coded credentials. Verify the latest available version and security advisory on the NetApp support portal. The immediate mitigation is to upgrade to a version confirmed by NetApp to address CWE-259. If an immediate patch is unavailable, restrict network access to OneCollect management interfaces using firewall rules or network segmentation, and audit AutoSupport submission logs for anomalous activity. Rotate or revoke any credentials exposed by this vulnerability across dependent systems.
Patch guidance
Check the NetApp support portal and security advisories for Active IQ OneCollect version 2.7.4 or later (verify exact version against the vendor advisory—do not assume version numbering). Plan a maintenance window for OneCollect upgrades, as they may require host-level restarts or brief service interruptions. Before deploying, test the patched version in a non-production environment to ensure compatibility with your Active IQ configuration and downstream monitoring integrations. After upgrading, confirm that AutoSupport submission behavior and telemetry collection remain consistent.
Detection guidance
Monitor OneCollect access and AutoSupport submission logs for unusual activity: unexpected submissions, submissions from anomalous IP addresses, or submissions outside normal change windows. Check for failed authentication attempts followed by successful submissions—this may indicate credential enumeration or brute-force activity. Review OneCollect configuration files and process listings for any references to embedded credentials or plaintext secrets. Use Host-based Intrusion Detection (HIDS) and application log analysis tools to flag unauthorized AutoSupport API calls. Correlate with your IAM and network access logs to identify which users or service accounts triggered the submissions.
Why prioritize this
This vulnerability scores HIGH (8.8) and requires immediate attention due to the convergence of high impact (confidentiality, integrity, availability all affected) and low barrier to exploitation once credentials are obtained. Although exploitation requires prior authentication, OneCollect operates in trusted network environments where lateral movement or compromised service accounts are realistic attack paths. Hard-coded credentials are particularly insidious because they persist across password resets and cannot be revoked through normal IAM controls. Active IQ OneCollect is often deployed as a trusted telemetry agent with broad access to system and configuration data; compromise undermines that trust chain. Prioritize patching within 30 days, sooner if OneCollect is internet-facing or has broad internal access.
Risk score, explained
The CVSS v3.1 score of 8.8 reflects: (1) Network-Accessible Attack Vector—OneCollect can be reached over the network; (2) Low Privilege Requirement—an authenticated user with basic access can exploit it; (3) No User Interaction required; (4) High impact across all three security dimensions (confidentiality: sensitive telemetry exposure; integrity: unauthorized support submissions; availability: potential disruption to monitoring); (5) Unchanged Scope (the vulnerability does not cross trust boundaries in the CVSS sense, though it does escalate functional access). The score does not assume public exploit code or active KEV listing, but the inherent simplicity and high impact of hard-coded credential exploitation elevates the practical risk.
Frequently asked questions
Why is a hard-coded credential vulnerability scored so high if it requires authentication first?
Because the hard-coded credentials themselves bypass the normal authorization layer for AutoSupport operations. An attacker does not need elevated credentials—just any valid account. Once in, the embedded secrets unlock high-impact actions without further authentication, effectively a privilege escalation. In practice, low-privileged accounts or compromised service accounts in the same network are common entry points, making this vulnerability a realistic attack path in post-compromise scenarios.
What data can an attacker exfiltrate via unauthorized AutoSupport?
AutoSupport payloads typically include system configurations, performance metrics, storage snapshots, event logs, and diagnostic bundles. Depending on your OneCollect setup, this may include hostnames, IP ranges, software versions, and in some cases partial credentials or configuration data. Review your organization's AutoSupport retention policy and payload content with NetApp support to understand your specific exposure.
If we are not connected to NetApp Active IQ, are we still at risk?
If you are running OneCollect but not actively submitting to NetApp infrastructure, the risk is lower but not eliminated. An attacker could use the hard-coded credentials to trigger local or rogue AutoSupport submissions, exfiltrate data to an attacker-controlled endpoint, or manipulate OneCollect behavior. Upgrade regardless, and verify network egress rules to prevent unauthorized submissions to external AutoSupport endpoints.
How do we know if we've been exploited?
Check AutoSupport submission logs and OneCollect audit trails for entries you do not recognize—unusual timestamps, source IPs, or submission sizes are red flags. Query your NetApp Active IQ portal for submissions that do not correlate with your scheduled collection windows. If your environment has Host-Based Firewall or Endpoint Detection and Response (EDR) tools, look for unexpected outbound connections from OneCollect hosts to NetApp or rogue infrastructure. If you suspect compromise, rotate local credentials and review downstream system access logs for anomalies.
This analysis is based on publicly available CVE data and NetApp vendor information as of June 2026. Organizations must verify affected versions, patch availability, and applicability to their specific OneCollect deployments by consulting the official NetApp security advisory. Patch dates, version numbers, and detailed remediation steps are the responsibility of NetApp and must be validated against the vendor portal. SEC.co provides this intelligence for awareness and priority planning; all deployment and testing decisions should align with your organization's change management and security policies. If you are unsure whether your environment is affected, contact NetApp Support or your system administrator. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-22054HIGHHard-Coded Credentials in NetApp Active IQ Config Advisor 6.7.3
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1