CVE-2025-67860 Overview
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This represents a credential management weakness that could allow local attackers with access to the system to view sensitive authentication credentials through process listings.
Critical Impact
Local users can potentially view registry and controller credentials by inspecting command-line arguments of the NeuVector scanner process, enabling credential theft and unauthorized access to container registries or controllers.
Affected Products
- NeuVector Scanner (specific versions not disclosed)
- SUSE Harvester deployments using NeuVector
Discovery Timeline
- 2026-02-25 - CVE CVE-2025-67860 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-67860
Vulnerability Analysis
This vulnerability falls under CWE-522 (Insufficiently Protected Credentials), which occurs when a product transmits or stores authentication credentials in a manner that allows unauthorized access. In this case, the NeuVector scanner process passes sensitive credentials—specifically registry and controller authentication tokens—directly as command-line arguments.
On Unix-like systems, command-line arguments are visible to any local user through various mechanisms such as the /proc filesystem, the ps command, or system monitoring tools. When credentials are passed as command-line arguments rather than through more secure methods like environment variables, configuration files with restricted permissions, or secure credential stores, they become accessible to any user who can list running processes on the system.
The local attack vector requires the attacker to have existing access to the system where the NeuVector scanner is running. Once present on the system, the attacker can enumerate processes and extract credentials without requiring any additional privileges beyond basic user access.
Root Cause
The root cause is the design decision to accept sensitive credentials (registry credentials and controller credentials) as command-line arguments to the NeuVector scanner process. This approach violates secure credential handling best practices, as command-line arguments are inherently visible to other processes and users on the same system through standard operating system interfaces.
Attack Vector
The attack requires local access to a system running the NeuVector scanner. An attacker with unprivileged shell access can execute process listing commands to observe running scanner instances and extract credentials from the command-line arguments. These credentials could then be used to access container registries or the NeuVector controller, potentially enabling further attacks such as image manipulation, unauthorized scanning operations, or lateral movement within the container infrastructure.
The exploitation path typically involves:
- Gaining local access to a host running NeuVector scanner (e.g., through a compromised container or legitimate user access)
- Monitoring process listings using tools like ps aux or reading /proc/[pid]/cmdline
- Extracting registry and controller credentials from scanner process arguments
- Using stolen credentials for unauthorized access to registries or controller APIs
Detection Methods for CVE-2025-67860
Indicators of Compromise
- Unusual process listing commands executed by unexpected users or processes
- Access to /proc/*/cmdline files for NeuVector scanner processes from non-root users
- Unauthorized authentication attempts to container registries using legitimate credentials
- Suspicious NeuVector controller API access patterns
Detection Strategies
- Monitor for excessive use of process enumeration commands (ps, top, reading /proc) by non-administrative users
- Implement audit logging for access to /proc/[pid]/cmdline files associated with NeuVector processes
- Track authentication events on container registries and NeuVector controllers for anomalous access patterns
- Deploy endpoint detection to identify credential harvesting behavior on container hosts
Monitoring Recommendations
- Enable process auditing on systems running NeuVector scanner components
- Configure centralized logging for container registry authentication events
- Monitor NeuVector controller access logs for authentication from unexpected sources
- Implement file integrity monitoring on NeuVector configuration directories
How to Mitigate CVE-2025-67860
Immediate Actions Required
- Restrict local access to systems running the NeuVector scanner to only essential personnel
- Review and rotate any credentials that may have been exposed through scanner command-line arguments
- Audit process access logs on affected systems for signs of credential harvesting
- Apply vendor patches when available
Patch Information
Refer to the GitHub Security Advisory GHSA-3c9m-gq32-g4jx and SUSE Bug Report for official patch information and updated versions. Organizations should upgrade to patched versions as they become available from the vendor.
Workarounds
- Limit local shell access on systems running the NeuVector scanner to reduce exposure
- Consider running the scanner in isolated environments with minimal user access
- Implement additional access controls on the container hosts running NeuVector
- Use network segmentation to limit the impact of potentially compromised credentials
# Restrict process visibility to non-root users (Linux hidepid mount option)
# Add to /etc/fstab for persistent configuration
# proc /proc proc defaults,hidepid=2 0 0
# Or mount immediately:
mount -o remount,hidepid=2 /proc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
