Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-12772

CVE-2025-12772: Brocade SANnav Information Disclosure

CVE-2025-12772 is an information disclosure vulnerability in Brocade SANnav that exposes switch admin passwords in logs and heap dumps. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2025-12772 Overview

CVE-2025-12772 is a cleartext storage of sensitive information vulnerability (CWE-312) affecting Brocade SANnav versions prior to 2.4.0b. The vulnerability arises from improper handling of credentials in logging mechanisms, where the Brocade Fabric OS Switch admin password is written to SANnav support save logs in cleartext. Additionally, when an Out-of-Memory (OOM) condition occurs on a SANnav server, the resulting heap dump file captures the switch password in cleartext as part of the call stack trace.

Critical Impact

A remote authenticated attacker with admin privileges can access SANnav logs or supportsave files to extract switch admin passwords in cleartext, potentially compromising the entire SAN fabric infrastructure.

Affected Products

  • Brocade SANnav versions before 2.4.0b
  • Brocade Fabric OS Switch (credentials exposed through SANnav)
  • Systems utilizing SANnav supportsave functionality

Discovery Timeline

  • 2026-02-02 - CVE-2025-12772 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2025-12772

Vulnerability Analysis

This vulnerability represents a significant information disclosure issue in the Brocade SANnav storage area network management platform. The core problem lies in the application's logging practices, which fail to properly sanitize or redact sensitive credential information before writing to log files.

The vulnerability manifests in two distinct scenarios. First, during normal operation, the SANnav support save functionality captures diagnostic information that inadvertently includes the Fabric OS Switch admin password. Second, during exceptional conditions when an OOM event triggers heap dump generation, the call stack trace preserved in the heap dump contains the switch password in readable form.

The impact extends beyond simple credential exposure—compromised switch admin credentials could allow an attacker to gain full control over SAN fabric switches, potentially disrupting enterprise storage infrastructure, accessing sensitive data, or pivoting to additional systems within the storage network.

Root Cause

The root cause of CVE-2025-12772 is the failure to implement proper credential masking in the logging subsystem. When the SANnav application processes switch authentication, it stores credentials in memory without adequate protection. The supportsave functionality and JVM heap dump mechanisms then capture this unprotected data, persisting cleartext passwords to disk where they can be retrieved by authorized but potentially malicious administrators.

Attack Vector

Exploitation requires network access and authenticated admin privileges on the SANnav management platform. An attacker would need to:

  1. Obtain administrative access to the SANnav web interface or underlying system
  2. Access the supportsave logs directory or trigger a heap dump collection
  3. Search the log files or heap dump for cleartext password strings
  4. Use the extracted credentials to authenticate to Fabric OS switches

The attack is particularly concerning in environments with shared administrative access or insider threat scenarios, as legitimate admin credentials to SANnav can be leveraged to escalate privileges to the underlying SAN fabric.

Detection Methods for CVE-2025-12772

Indicators of Compromise

  • Unusual access patterns to SANnav supportsave log directories
  • Unexpected heap dump file generation or access
  • Suspicious file transfers of .log or heap dump files from SANnav servers
  • Login attempts to Fabric OS switches using credentials not recently changed

Detection Strategies

  • Monitor file access logs for SANnav support save directories and heap dump locations
  • Implement file integrity monitoring on sensitive log directories
  • Alert on bulk download or copy operations involving diagnostic files
  • Track administrative login patterns to Fabric OS switches for anomalous activity

Monitoring Recommendations

  • Enable detailed audit logging for SANnav administrative actions
  • Configure SIEM rules to correlate SANnav log access with subsequent switch logins
  • Implement behavioral analysis for admin account activities
  • Review access control lists for SANnav diagnostic file locations regularly

How to Mitigate CVE-2025-12772

Immediate Actions Required

  • Upgrade Brocade SANnav to version 2.4.0b or later immediately
  • Rotate all Fabric OS Switch admin passwords after upgrading
  • Audit and delete existing supportsave logs and heap dump files containing exposed credentials
  • Review access logs for any suspicious retrieval of diagnostic files

Patch Information

Broadcom has addressed this vulnerability in Brocade SANnav version 2.4.0b. Organizations should obtain the patched version through Broadcom's support portal. For detailed information, refer to the Broadcom Security Advisory.

Workarounds

  • Restrict administrative access to SANnav servers to the minimum required personnel
  • Implement strict file-level access controls on supportsave directories
  • Disable or limit heap dump generation where operationally feasible
  • Store supportsave files in encrypted volumes with restricted access
  • Implement network segmentation to isolate SANnav management traffic

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne