CVE-2025-8077

CRITICAL

NeuVector <= 5.4.5 - Use of Default Password for Admin Account

Title source: llm

Description

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.

References (2)

Core 2

Core References

Vendor Advisory

https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-8077

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 26.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1393

Status published

Products (3)

neuvector/neuvector 0 - 0.0.0-20250825191744-da1a462074c3Go

neuvector/neuvector 5.0.0 - 5.4.6Go

SUSE/neuvector 5.0.0 - 5.4.6

Published Sep 17, 2025

Tracked Since Feb 18, 2026