CVE-2025-54469
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-30

Last updated on: 2025-10-30

Assigner: SUSE

Description
A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-30
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-54469
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neuvector enforcer *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in NeuVector involves the enforcer component using environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to build shell commands executed via popen without sanitizing these variables. Because these environment variables are used directly, a malicious user could inject harmful commands through them within the enforcer container, potentially leading to command injection attacks.

Impact Analysis

The vulnerability can allow an attacker with access to the enforcer container environment variables to execute arbitrary commands on the system. This can lead to full compromise of the container, including unauthorized access, data manipulation, service disruption, or further attacks on the host or network.

Mitigation Strategies

To mitigate this vulnerability, ensure that the environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are properly sanitized and validated before being used to compose shell commands. Avoid using unsanitized environment variables directly in popen calls. Additionally, restrict access to the enforcer container to trusted users only to prevent malicious injection through these variables.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54469. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart