Executive Summary

CVE-2025-62877 is a critical vulnerability in SUSE Virtualization (Harvester) environments using the interactive installer versions 1.5.x and 1.6.x. The vulnerability occurs because the installer enables the host's networking before resetting the default administrative SSH login password. This default password, intended only for out-of-band management, is exposed over the network during cluster creation or expansion, allowing an attacker to remotely access the host via SSH without any privileges or user interaction. Environments using the PXE boot mechanism with Harvester configuration are not affected. The issue is fixed in version 1.7.0 and later by requiring users to reset the default password before enabling network access. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized remote access to the host via SSH using default credentials without any privileges or user interaction. This compromises the confidentiality, integrity, and availability of the affected system at a high level. An attacker could potentially control the host, disrupt services, or access sensitive data during the window when the default password is exposed. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if hosts were installed using the interactive installer versions 1.5.x or 1.6.x of SUSE Harvester, specifically versions >=1.5.0 to <=1.5.2 and >=1.6.0 to <=1.6.1. Since the issue involves exposure of the default SSH login password during cluster creation or expansion, you can scan your network for hosts with open SSH port 22 that might still accept the default administrative credentials. Commands such as 'nmap -p 22 <host-ip>' can be used to identify hosts with SSH open. Additionally, attempting to SSH using the known default credentials (if available from documentation) could confirm vulnerability. Monitoring network traffic during cluster setup for early SSH connections before password reset may also help detect exposure. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Avoid using the interactive installer versions 1.5.x and 1.6.x; upgrade to version 1.7.0 or later where the issue is fixed. 2) If upgrade is not immediately possible, use the PXE boot method combined with a secure password configuration file to prevent exposure of the default password over the network. 3) Apply network security controls to restrict access to SSH port 22 during the bootstrapping process, preventing unauthorized remote access. These steps help prevent attackers from exploiting the window where the default SSH password is exposed. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes the default SSH login password over the network during cluster creation or expansion, allowing unauthorized remote access to hosts. Such unauthorized access can lead to breaches of confidentiality, integrity, and availability of data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure access controls. Therefore, this vulnerability poses a significant risk to compliance with these regulations unless mitigated or patched. [1]

Useful 0 Not Useful 0