CVE-2025-54470
BaseFortify
Publication date: 2025-10-30
Last updated on: 2025-10-30
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neuvector | neuvector | 5.4.7 |
| neuvector | neuvector | 5.3.5 |
| neuvector | neuvector | 5.3.0 |
| neuvector | neuvector | 5.4.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in NeuVector when the 'Report anonymous cluster data' option is enabled. NeuVector sends anonymous telemetry data to its telemetry server without enforcing TLS certificate verification. This lack of verification allows attackers to perform man-in-the-middle (MITM) attacks, intercepting or modifying the data. Additionally, NeuVector loads the telemetry server's response into memory without size limits, making it vulnerable to Denial of Service (DoS) attacks.
How can this vulnerability impact me? :
The vulnerability can lead to interception or modification of telemetry data through MITM attacks, potentially exposing sensitive information or corrupting data. It also exposes the system to Denial of Service (DoS) attacks by allowing an attacker to send excessively large responses that consume memory resources, potentially causing service disruption.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately disable the 'Report anonymous cluster data' option in your NeuVector deployment to prevent transmission of anonymous telemetry data without TLS certificate verification. Additionally, monitor for any unusual network activity that could indicate man-in-the-middle attacks or denial of service attempts related to telemetry data transmission.