CVE-2026-22050
📋 TL;DR
A vulnerability in NetApp ONTAP with snapshot locking enabled allows privileged remote attackers to set snapshot expiry times to 'none', potentially preventing automatic deletion. This affects ONTAP versions 9.16.1 before 9.16.1P9 and 9.17.1 before 9.17.1P2. Only systems with snapshot locking enabled are vulnerable.
💻 Affected Systems
- NetApp ONTAP
📦 What is this software?
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
Ontap by Netapp
⚠️ Risk & Real-World Impact
Worst Case
An attacker could disable snapshot expiration indefinitely, leading to uncontrolled storage consumption, performance degradation, and potential denial of service due to storage exhaustion.
Likely Case
Storage capacity issues as snapshots accumulate beyond intended retention periods, increasing costs and potentially impacting system performance.
If Mitigated
Minimal impact if proper access controls limit privileged accounts and storage monitoring is in place to detect abnormal snapshot behavior.
🎯 Exploit Status
Requires privileged remote attacker credentials. Simple command execution to modify snapshot expiry settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.16.1P9 or 9.17.1P2
Vendor Advisory: https://security.netapp.com/advisory/NTAP-20260112-0001
Restart Required: No
Instructions:
1. Check current ONTAP version. 2. Upgrade to 9.16.1P9 or 9.17.1P2 via NetApp support. 3. Verify patch installation. No restart required.
🔧 Temporary Workarounds
Disable Snapshot Locking
allTemporarily disable the snapshot locking feature if not required
snap lock modify -vserver <vserver_name> -volume <volume_name> -snap-lock disabled
Restrict Privileged Access
allLimit administrative access to trusted users only
security login modify -vserver <vserver_name> -user-or-group-name <admin_user> -application ssh -authentication-method password -role admin -second-authentication-method none
🧯 If You Can't Patch
- Implement strict access controls for administrative accounts
- Monitor snapshot creation and expiry patterns for anomalies
🔍 How to Verify
Check if Vulnerable:
Check ONTAP version with 'version' command and verify if snapshot locking is enabled with 'snap lock show'Check Version:
versionVerify Fix Applied:
Confirm version is 9.16.1P9 or 9.17.1P2 or higher using 'version' command📡 Detection & Monitoring
Log Indicators:
- Audit logs showing snapshot expiry modifications to 'none'
- Unexpected snapshot lock configuration changes
Network Indicators:
- Administrative protocol connections (SSH, HTTPS) from unusual sources
SIEM Query:
source="ontap" AND (event_type="snapshot_modify" OR event_type="config_change") AND (action="set_expiry_none" OR parameter="snap-lock")