Security Advisory: Immediate Rotation of ‘ServiceBootstrap’ User Credentials

c8y_security · December 11, 2025, 5:48pm

Date: 11th December 2025
Severity: High
Audience: All Self-Hosted Cumulocity Cloud & Cumulocity Edge Customers
Action Required: Immediate Password Rotation of ServiceBootstrap user.

Summary

We recently identified that the ‘servicebootstrap’ user password was inadvertently committed to a small number of our internal GitHub repositories. This credential is shipped by default, and instructions to update it during deployment are clearly provided in our documentation. However, we have observed a few installations where this default credential was used, i.e. it was not changed.

These credentials when compromised, could allow elevated administrative actions within the platform.

Impact on Self-Hosted Deployments

In the Self-hosted deployments, the ‘servicebootstrap’ user credentials may still be using this recently leaked password if not changed during installation. Hence, we strongly advise all self-hosted customers to rotate this password immediately to eliminate any risk.

Required Customer Action

Update management/servicebootstrap User password in Core as described here: configure-servicebootstrap-password
Change the configuration of the following microservices to use the new password and update these services in all environments according to the instructions as described in the user documentation linked below:
1. Actility
2. LWM2M
3. OPCUA
4. Loriot
5. SIGFOX
6. SSL-management
7. Messaging Service
8. MQTT-service (Not applicable for y2025 and below)
9. Timeseries Migration

Impact on Edge Deployments

Edge versions prior to 2025.0.7 needs atttention.

Required Action: Upgrade to the latest available Edge version. If upgrading is not feasible, please contact support.

Edge versions 2025.0.7 and later are NOT affected. During every installation, the ‘servicebootstrap’ user credentials are automatically and uniquely regenerated. This process ensures the default credential is never used.

Required Action: None.

Our Response

All internal and the public environments managed by Cumulocity cloud operations have had the credential rotated.

A long-term architectural change is underway to eliminate dependency on the servicebootstrap user for communication between microservices and the core platform. This will be replaced with a more robust and secure mechanism to prevent similar risks in the future.

Additional preventive controls have been implemented to avoid accidental secret commits, including:

Enhanced GitHub secret-scanning and repository monitoring
Automated CI checks for secret detection
Improved developer guidelines and periodic repository audits

Support

If you need assistance performing the password rotation or validating your environment, please contact our support team

Topic		Replies	Views
Critical Security Vulnerability Identified in Cumulocity Platform Security updates security-alert	0	187	December 11, 2025
Password security in python microservices Forum cumulocity-edge , cumulocity	3	566	April 23, 2023
Can we hit Cumulocity APIs with bootstrap credentials of microservice Forum cumulocity	7	791	February 6, 2024
Bootstrap user Forum device-connectivity , cumulocity	2	502	June 4, 2023
PlatformImpl() Forum cumulocity	2	502	February 19, 2024