A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.
NeuVector uses a fixed string as the default password for the built-in `admin` account. If an administrator does not change this password immediately after deployment, an attacker or malicious workload with network access to the cluster can log in using the known default credentials. After successful authentication, a session token is obtained, which provides full access to all operations exposed by the NeuVector API without any additional restrictions.
An attacker gains full administrative privileges in NeuVector, enabling them to read, modify, and delete cluster security configurations, as well as manipulate network policies and workload protection mechanisms — leading to complete compromise of confidentiality, integrity, and availability of the environment.
The default password for the `admin` account must be changed immediately after each NeuVector deployment. Patches available from the vendor should be applied according to references (GHSA-8pxw-9c75-6w56 and SUSE Bugzilla CVE-2025-8077). It is also recommended to restrict network access to the NeuVector API only to trusted workloads and administrators.
NeuVector in versions up to and including 5.4.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H