CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository

CVE-2026-32662: Active Debug Code in Production

Classification

• CVE: CVE-2026-32662
• Gr0m ID: Gr0m-019
• CVSS 3.1: 5.3 (Medium)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
• CWE: CWE-489 (Active Debug Code)
• Status: PARTIALLY FIXED (403 Forbidden, but infrastructure still deployed)

---

Summary

Development and test API endpoints present in production mirror production functionality. Before remediation, the development API returned production credentials including the iothubowner key (CVE-2025-1242) without authentication. Development credentials also remain embedded in production mobile app and admin panel builds.

---

Development Endpoints

Endpoint	Status
[REDACTED — Dev API host #1]	403 Forbidden (blocked)
[REDACTED — Dev API host #2]	Unknown

---

Production API Surface (disclosed in builds)

Endpoint	Purpose
[REDACTED — Production host]	Main production API
[REDACTED — Legacy host]	Legacy API
[REDACTED — Orders host]	Order processing
[REDACTED — Kelby service host]	AI assistant service layer
[REDACTED — Data API host]	Data API

---

Impact

• Historical credential leakage via development endpoints
• Development credentials in production builds enable reconnaissance
• Parallel environments with production credentials create alternate attack paths
• Risk of future re-exposure if access controls are relaxed

---

Remediation

1. Decommission publicly-routable development endpoints
2. Network-segregate non-production environments
3. Never use production credentials in development environments
4. Strip development artifacts from production builds

---

Full Technical Writeup

See CVE-2026-32662.md for the complete CISA-aligned advisory.

---

Researcher: Michael Groberman — Gr0m Contact: michael@groberman.tech · LinkedIn