Vulnerability-Lookup

CVE-2025-62877 (GCVE-0-2025-62877)

Vulnerability from cvelistv5 – Published: 2026-01-08 12:29 – Updated: 2026-01-08 14:43

Title

Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer

Summary

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-1188 - Initialization of a Resource with an Insecure Default

Assigner

suse

References

URL

Tags

	https://bugzilla.suse.com/show_bug.cgi?id=CVE-202…
	https://github.com/harvester/harvester/security/a…

Impacted products

	Vendor	Product	Version
	SUSE	harvester	Affected: 1.6.0 (semver) Affected: 1.5.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62877",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-08T14:40:02.987768Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-08T14:43:34.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/harvester/harvester-installer",
          "product": "harvester",
          "vendor": "SUSE",
          "versions": [
            {
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-05T19:25:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Projects using the SUSE Virtualization (Harvester) environment may\u0026nbsp;expose the OS default ssh login password\u0026nbsp;\u0026nbsp;if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\u0026nbsp;setup."
            }
          ],
          "value": "Projects using the SUSE Virtualization (Harvester) environment may\u00a0expose the OS default ssh login password\u00a0\u00a0if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\u00a0setup."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Initialization of a Resource with an Insecure Default",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-08T12:29:07.079Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877"
        },
        {
          "url": "https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2025-62877",
    "datePublished": "2026-01-08T12:29:07.079Z",
    "dateReserved": "2025-10-24T10:34:22.765Z",
    "dateUpdated": "2026-01-08T14:43:34.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-62877\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2026-01-08T13:15:41.923\",\"lastModified\":\"2026-01-08T18:08:18.457\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Projects using the SUSE Virtualization (Harvester) environment may\u00a0expose the OS default ssh login password\u00a0\u00a0if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\u00a0setup.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877\",\"source\":\"meissner@suse.de\"},{\"url\":\"https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv\",\"source\":\"meissner@suse.de\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"packageName\": \"github.com/harvester/harvester-installer\", \"product\": \"harvester\", \"vendor\": \"SUSE\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.5.0\", \"versionType\": \"semver\"}]}], \"datePublic\": \"2026-01-05T19:25:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Projects using the SUSE Virtualization (Harvester) environment may\u0026nbsp;expose the OS default ssh login password\u0026nbsp;\u0026nbsp;if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\u0026nbsp;setup.\"}], \"value\": \"Projects using the SUSE Virtualization (Harvester) environment may\\u00a0expose the OS default ssh login password\\u00a0\\u00a0if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\\u00a0setup.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-1188\", \"description\": \"CWE-1188: Initialization of a Resource with an Insecure Default\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2026-01-08T12:29:07.079Z\"}, \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877\"}, {\"url\": \"https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62877\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-08T14:40:02.987768Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-08T14:41:56.620Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-62877\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"suse\", \"dateReserved\": \"2025-10-24T10:34:22.765Z\", \"datePublished\": \"2026-01-08T12:29:07.079Z\", \"dateUpdated\": \"2026-01-08T14:43:34.114Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-6G8Q-HP2J-GVWV

Vulnerability from github – Published: 2026-01-05 20:25 – Updated: 2026-01-08 21:18

Summary

Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer

Details

Impact

Projects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

A critical vulnerability has been identified within the SUSE Virtualization interactive installer. This vulnerability allows an attacker to gain unauthorized network access to the host via a remote shell (SSH).

The SUSE Virtualization operating system includes a default administrative login credential intended solely for out-of-band cluster management tasks (for example, perform troubleshooting, device management and system recovery over serial ports). When the interactive installer is used to create or expand a cluster, the installer enables the host's networking functions before the default password is reset. This presents a window of opportunity for an attacker to exploit the default password to gain unauthorized access to the host via SSH.

Please consult the associated MITRE ATT&CK - Technique - Default Credentials for further information about this category of attack.

Patches

This vulnerability is addressed by updating the interactive installer to allow the user to reset the OS default login password, before proceeding to other system configuration screens like the host networking screen and before network connectivity for remote access to the host is actually enabled.

v1.7.0 and later include the necessary security fixes.

Workarounds

For environments that are dependent on the SUSE Virtualization 1.5 and 1.6 interactive installer, users should upgrade the clusters to SUSE Virtualization 1.7 and use the 1.7 installer to manage hosts. These versions allow users to reset the operating system's default administrative password before proceeding to other system configuration screens and before enabling network connectivity for remote host access.

Projects can also perform one of the following workarounds to mitigate the risk:

If upgrading to v1.7.x is not an option, use the PXE boot mechanism along with a configuration file to define a secure password.
Apply network security controls to limit access to the server from any untrusted location during bootstrapping. For example, ensure that port 22 is not exposed to the public internet until at least the default login password is changed to a secure value.

Resources

If users have any questions or comments about this advisory: * Reach out to the SUSE Rancher Security team for security related inquiries. * Open an issue in the Harvester repository. * Verify with the support matrix and product support lifecycle.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/harvester/harvester-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "last_affected": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/harvester/harvester-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "last_affected": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T20:25:53Z",
    "nvd_published_at": "2026-01-08T13:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nProjects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the [PXE boot mechanism](https://docs.harvesterhci.io/v1.7/install/pxe-boot-install/) is utilized along with the [Harvester configuration](https://docs.harvesterhci. io/v1.7/install/harvester-configuration) setup.\n\nA critical vulnerability has been identified within the SUSE Virtualization interactive installer. This vulnerability allows an attacker to gain unauthorized network access to the host via a remote shell (SSH).\n\nThe SUSE Virtualization operating system includes a default administrative login credential intended solely for out-of-band cluster management tasks (for example, perform troubleshooting, device management and system recovery over serial ports). When the interactive installer is used to create or expand a cluster, the installer enables the host\u0027s networking functions before the default password is reset. This presents a window of opportunity for an attacker to exploit the default password to gain unauthorized access to the host via SSH. \n\nPlease consult the associated  [MITRE ATT\u0026CK - Technique - Default Credentials](https://attack.mitre.org/techniques/T0812/) for further information about this category of attack.\n\n### Patches\n\nThis vulnerability is addressed by updating the interactive installer to allow the user to reset the OS default login password, before proceeding to other system configuration screens like the host networking screen and before network connectivity for remote access to the host is actually enabled. \n\nv1.7.0 and later include the necessary security fixes. \n\n### Workarounds\n\nFor environments that are dependent on the SUSE Virtualization 1.5 and 1.6 interactive installer, users should upgrade the clusters to SUSE Virtualization 1.7 and use the 1.7 installer to manage hosts. These versions allow users to reset the operating system\u0027s default administrative password before proceeding to other system configuration screens and before enabling network connectivity for remote host access.\n\nProjects can also perform one of the following workarounds to mitigate the risk:\n\n* If upgrading to v1.7.x is not an option, use the [PXE boot mechanism](https://docs.harvesterhci.io/v1.7/install/pxe-boot-install/) along with a configuration file to define a secure password. \n* Apply network security controls to limit access to the server from any untrusted location during bootstrapping. For example, ensure that port 22 is not exposed to the public internet until at least the default login password is changed to a secure value.\n\n### Resources\n\nIf users have any questions or comments about this advisory: \n* Reach out to the [SUSE Rancher Security team](https://github.com/harvester/harvester/security/policy) for security related inquiries.\n* Open an issue in the [Harvester](https://github.com/harvester/harvester/issues/new/choose) repository.\n* Verify with the [support matrix](https://www.suse.com/suse-harvester/support-matrix/all-supported-versions/harvester-v1-6-x/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-virtualization).",
  "id": "GHSA-6g8q-hp2j-gvwv",
  "modified": "2026-01-08T21:18:48Z",
  "published": "2026-01-05T20:25:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62877"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/harvester/harvester"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer"
}

FKIE_CVE-2025-62877

Vulnerability from fkie_nvd - Published: 2026-01-08 13:15 - Updated: 2026-01-08 18:08

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877
	meissner@suse.de	https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Projects using the SUSE Virtualization (Harvester) environment may\u00a0expose the OS default ssh login password\u00a0\u00a0if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster.  The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration\u00a0setup."
    }
  ],
  "id": "CVE-2025-62877",
  "lastModified": "2026-01-08T18:08:18.457",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "meissner@suse.de",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T13:15:41.923",
  "references": [
    {
      "source": "meissner@suse.de",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877"
    },
    {
      "source": "meissner@suse.de",
      "url": "https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv"
    }
  ],
  "sourceIdentifier": "meissner@suse.de",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "meissner@suse.de",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-62877 (GCVE-0-2025-62877)

GHSA-6G8Q-HP2J-GVWV

Impact

Patches

Workarounds

Resources

FKIE_CVE-2025-62877

Tags

Sightings

Nomenclature