CVE-2026-1814 identifies a cryptographic weakness in Rapid7 InsightVM/Nexpose, specifically in the CredentialsKeyStorePassword.generateRandomPassword() method introduced in version 6.4.50 and later. When legacy keystore passwords are updated, the system generates new passwords that are insufficiently random and short, ranging from 7 to 12 characters, and always starting with the static prefix 'p'. This design flaw drastically reduces the effective keyspace, making brute-force attacks feasible with modest computational resources. An attacker who gains access to the nsc.ks keystore file can attempt to brute-force the password protecting stored credentials. Since the password protects sensitive credential data used by the vulnerability management platform, successful brute-forcing can lead to exposure of these credentials, potentially enabling further compromise of scanned assets. The vulnerability requires the attacker to have high privileges on the host to access the keystore file, and no user interaction is needed. The CVSS 4.0 base score is 6.8, reflecting a medium severity with local attack vector, high attack complexity, and high impact on confidentiality. No patches or exploits are currently publicly available, but the weakness in password generation represents a significant risk to credential confidentiality in affected environments.

The primary impact of this vulnerability is the potential compromise of stored credentials within Rapid7 InsightVM/Nexpose environments. If an attacker with high privileges on the host can access the nsc.ks keystore file, they can brute-force the weakly generated password and decrypt sensitive credentials used for vulnerability scanning and asset management. This can lead to unauthorized access to critical infrastructure, lateral movement, and escalation of privileges within an organization’s network. The confidentiality of credential data is severely impacted, while integrity and availability are less directly affected. Organizations relying on InsightVM/Nexpose for vulnerability management could face increased risk of credential theft and subsequent exploitation of scanned systems. The medium CVSS score reflects that exploitation requires local access and high privileges, limiting the scope but still posing a significant threat in compromised environments. The lack of known exploits reduces immediate risk but does not diminish the need for remediation.

To mitigate this vulnerability, organizations should: 1) Upgrade Rapid7 InsightVM/Nexpose to a version where this issue is resolved once a patch is released by Rapid7. 2) Until a patch is available, restrict access to the nsc.ks keystore file to only trusted administrators and monitor for unauthorized access attempts. 3) Implement strict host-level access controls and auditing to detect and prevent privilege escalation that could lead to keystore file access. 4) Consider rotating and resetting stored credentials within InsightVM/Nexpose after remediation to invalidate any potentially compromised secrets. 5) Employ network segmentation and least privilege principles to limit the impact of any credential compromise. 6) Use external credential vaults or secrets management solutions integrated with InsightVM/Nexpose if supported, to reduce reliance on local keystore storage. 7) Monitor vendor advisories for patches and apply them promptly. These steps go beyond generic advice by focusing on protecting the keystore file, controlling privileged access, and credential hygiene.