September 1, 2025
The SUSE Rancher Security Team has issued a critical security advisory for NeuVector, an open-source container security platform integrated with Rancher. The flaw, tracked as CVE-2025-8077, carries a CVSS score of 9.8 and exposes Kubernetes clusters to full compromise if not remediated.
NeuVector is an open-source container security platform providing end-to-end security for Kubernetes environments, focusing on zero-trust principles and runtime security. It combines vulnerability and compliance scanning with deep packet inspection, enabling organizations to block unauthorized network traffic without relying on predefined signatures.
The issue stems from the use of a weak, hardcoded credential. According to the advisory, “A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token.”
With this token, an attacker could invoke NeuVector APIs to perform any administrative operation, effectively taking control of the security platform and undermining protections across the Kubernetes environment.
Earlier versions attempted to mitigate this by allowing admins to set the bootstrap password via a Kubernetes Secret (neuvector-bootstrap-secret). However, the advisory warns: “If NeuVector fails to retrieve this value, it falls back to the fixed default password.”
The flaw has been resolved in NeuVector version 5.4.6 and later. The patched release introduces new Kubernetes RBAC (Role-Based Access Control) permissions to ensure bootstrap passwords are securely managed through Secrets.
The advisory notes, “These RBAC roles are automatically applied when deploying via Helm. If deploying or upgrading manually, you must create these roles before starting NeuVector. If these roles are not present, the NeuVector controller (from version 5.4.6 onward) does not start.”
For those running vulnerable versions, immediate manual intervention is required. The advisory recommends: “Log in to the NeuVector UI immediately after deployment and update the default admin password.”
Related Posts:
- NeuVector CVE-2023-32188: A Critical Bug That Can Allow RCE
- Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw
- Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
- Chrome Extension Security Alert: Hidden API Keys Expose 21M+ Users to Risk!
- Ivanti Patches High-Severity Credential Decryption Flaws in Workspace Control
