CVE-2025-62877

CRITICAL
2026-01-08 [email protected] GHSA-6g8q-hp2j-gvwv
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 08, 2026 - 13:15 nvd
CRITICAL 9.8

Tags

Ssh Suse

Description

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

Analysis

SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.

Technical Context

The interactive installer sets a default SSH password (CWE-1188) that is not forced to be changed after installation. All hosts provisioned this way share the same credential, creating a single point of failure for the entire Harvester cluster.

Affected Products

SUSE Harvester 1.5.x, 1.6.x (interactive installer method only; PXE boot not affected)

Remediation

Change the SSH password on all Harvester hosts immediately. Use PXE boot with Harvester configuration for future provisioning.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Vendor Status

Share

CVE-2025-62877 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy