What is the CVSS score of CVE-2025-62877?

CVE-2025-62877 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of SSH are affected by CVE-2025-62877?

CVE-2025-62877 presents critical security risk rated CVSS 9.8. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

How to fix or mitigate CVE-2025-62877?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

SSH CVE-2025-62877

CRITICAL

Initialization of a Resource with an Insecure Default (CWE-1188)

2026-01-08 meissner@suse.de

GHSA-6g8q-hp2j-gvwv

SSH Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 08, 2026 - 13:15 nvd

CRITICAL 9.8

DescriptionNVD

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

AnalysisAI

SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.

Technical ContextAI

The interactive installer sets a default SSH password (CWE-1188) that is not forced to be changed after installation. All hosts provisioned this way share the same credential, creating a single point of failure for the entire Harvester cluster.

Affected ProductsAI

SUSE Harvester 1.5.x, 1.6.x (interactive installer method only; PXE boot not affected)

RemediationAI

Change the SSH password on all Harvester hosts immediately. Use PXE boot with Harvester configuration for future provisioning.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-62877 vulnerability details – vuln.today

Back

SSH CVE-2025-62877

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code