Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62877

CVE-2025-62877: SUSE Harvester Password Exposure Flaw

CVE-2025-62877 is an information disclosure vulnerability in SUSE Virtualization (Harvester) that exposes default SSH login passwords during installation. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-62877 Overview

CVE-2025-62877 affects SUSE Virtualization (Harvester) clusters provisioned through the interactive installer. Operators using the 1.5.x or 1.6.x interactive installer to create a new cluster or add hosts to an existing cluster may expose the operating system default SSH login password. The flaw maps to CWE-1188: Initialization of a Resource with an Insecure Default. Clusters provisioned through PXE boot together with the Harvester configuration setup are not affected. The exposure provides a remote, network-reachable authentication path into hypervisor hosts.

Critical Impact

Attackers reaching the management network can authenticate to Harvester hosts using the default SSH credential, gaining shell access to the hypervisor.

Affected Products

  • SUSE Virtualization (Harvester) 1.5.x deployed via interactive installer
  • SUSE Virtualization (Harvester) 1.6.x deployed via interactive installer
  • New hosts added to existing clusters using the interactive installer

Discovery Timeline

  • 2026-01-08 - CVE-2025-62877 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-62877

Vulnerability Analysis

Harvester is a hyperconverged infrastructure platform built on Kubernetes and KubeVirt. The interactive installer provisions the underlying SUSE Linux Enterprise host and configures SSH access for the default operator account. In versions 1.5.x and 1.6.x, the installer path leaves the operating system SSH login password set to a known default value rather than enforcing operator-supplied credentials. Any host installed through this workflow accepts that default password on the SSH service. Because Harvester hosts typically expose SSH on the management interface, the credential becomes reachable across the network without prior authentication or user interaction.

Root Cause

The defect is an insecure default initialization in the interactive installer ([CWE-1188]). The installer fails to require a unique password or to disable password authentication for the default OS account before completing provisioning. PXE-based installs that consume a Harvester configuration file supply credentials through the configuration, which is why that path is not affected.

Attack Vector

An unauthenticated attacker with network reach to the Harvester host SSH port submits the documented default password against the default account. Successful authentication yields interactive shell access to the hypervisor node. From that position, an attacker can pivot to guest virtual machines, manipulate Kubernetes control-plane components, exfiltrate cluster secrets, and persist on the hypervisor.

No public exploit code, proof-of-concept, or CISA KEV listing is recorded for this CVE at the time of publication. Technical details are described in prose because no verified exploitation code is available. Refer to the GitHub Security Advisory GHSA-6g8q-hp2j-gvwv for vendor specifics.

Detection Methods for CVE-2025-62877

Indicators of Compromise

  • Successful SSH authentications to Harvester hosts from unexpected source addresses or outside maintenance windows.
  • New SSH keys appended to ~/.ssh/authorized_keys on hypervisor nodes after install.
  • Unexpected sudo, kubectl, or virtctl activity originating from the default OS account.
  • Outbound connections from hypervisor hosts to unrecognized infrastructure.

Detection Strategies

  • Inventory all Harvester 1.5.x and 1.6.x nodes and identify which were provisioned via the interactive installer versus PXE.
  • Audit /etc/shadow hashes against the known default to confirm whether the unchanged password is still present.
  • Review sshd logs (/var/log/messages, journalctl -u sshd) for password-based logins succeeding on the default account.
  • Correlate Kubernetes audit logs with host SSH session times to surface privilege use following remote logins.

Monitoring Recommendations

  • Alert on any password-based SSH authentication to Harvester hosts; the supported model is key-based.
  • Monitor for changes to authentication configuration files such as /etc/ssh/sshd_config and /etc/pam.d/sshd.
  • Forward host and Kubernetes audit logs to a centralized analytics platform and retain them for incident review.

How to Mitigate CVE-2025-62877

Immediate Actions Required

  • Rotate the OS login password on every Harvester host installed via the 1.5.x or 1.6.x interactive installer.
  • Restrict SSH exposure on Harvester management interfaces to administrative networks or a bastion host only.
  • Disable password-based SSH authentication and enforce public key authentication on all hypervisor nodes.
  • Review host and cluster audit logs for unauthorized access since installation.

Patch Information

Consult the SUSE Bugzilla entry for CVE-2025-62877 and the GitHub Security Advisory GHSA-6g8q-hp2j-gvwv for fixed installer versions and remediation guidance from the Harvester maintainers.

Workarounds

  • Re-provision affected nodes using the PXE boot mechanism with a Harvester configuration file that sets a unique password.
  • Manually reset the default account password on each affected host immediately after install and before joining production networks.
  • Place Harvester management networks behind firewall rules that block inbound SSH from untrusted segments.
bash
# Post-install hardening on each Harvester host
sudo passwd rancher
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.