CVE-2025-54470
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-30

Last updated on: 2025-10-30

Assigner: SUSE

Description
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-30
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54470
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
neuvector neuvector 5.4.7
neuvector neuvector 5.3.5
neuvector neuvector 5.3.0
neuvector neuvector 5.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in NeuVector when the 'Report anonymous cluster data' option is enabled. NeuVector sends anonymous telemetry data to its telemetry server without enforcing TLS certificate verification. This lack of verification allows attackers to perform man-in-the-middle (MITM) attacks, intercepting or modifying the data. Additionally, NeuVector loads the telemetry server's response into memory without size limits, making it vulnerable to Denial of Service (DoS) attacks.

Impact Analysis

The vulnerability can lead to interception or modification of telemetry data through MITM attacks, potentially exposing sensitive information or corrupting data. It also exposes the system to Denial of Service (DoS) attacks by allowing an attacker to send excessively large responses that consume memory resources, potentially causing service disruption.

Mitigation Strategies

To mitigate this vulnerability, immediately disable the 'Report anonymous cluster data' option in your NeuVector deployment to prevent transmission of anonymous telemetry data without TLS certificate verification. Additionally, monitor for any unusual network activity that could indicate man-in-the-middle attacks or denial of service attempts related to telemetry data transmission.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart