Upstream information
Description
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.Upstream Security Advisories:
Other Security Trackers
SUSE information
Overall state of this security issue: Revisit
This issue is currently rated as having critical severity.
| CNA (SUSE) | |
|---|---|
| Base Score | 9.8 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- GHSA-8pxw-9c75-6w56, published Tue Aug 26 19:00:36 CEST 2025
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15538 |
SUSE Timeline for this CVE
CVE page created: Fri Aug 8 15:54:15 2025CVE page last modified: Wed Sep 17 19:25:26 2025