CVE-2025-66001
Unknown Unknown - Not Provided
TLS Verification Bypass in NeuVector OpenID Connect Enables MITM Attacks

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: SUSE

Description
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66001
EUVD
EUVD-2025-203112
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neuvector neuvector From 5.3.0 (inc) to 5.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in NeuVector's OpenID Connect authentication occurs because TLS verification, which ensures the authenticity and integrity of the remote server, is not enforced by default. This improper certificate validation (CWE-295) allows attackers to perform man-in-the-middle (MITM) attacks by intercepting and potentially manipulating authentication traffic. [1, 2]

Impact Analysis

The vulnerability can lead to serious security impacts including unauthorized access and data compromise. Because TLS verification is not enforced by default, attackers can intercept authentication traffic via MITM attacks, potentially compromising confidentiality, integrity, and availability of the system. The CVSS score of 8.8 indicates a high severity with network attack vector, low attack complexity, and no privileges required. [1, 2]

Detection Guidance

This vulnerability can be detected by checking if TLS verification is enabled for OpenID Connect authentication in NeuVector. Since TLS verification is disabled by default in affected versions (5.3.0 up to but not including 5.4.8), you should verify the NeuVector UI settings under Settings > Configuration > TLS Self-Signed Certificate Configuration. There are no specific commands provided in the resources to detect this vulnerability on the network or system. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately enable TLS verification in NeuVector. This can be done via the NeuVector UI by navigating to Settings > Configuration > TLS Self-Signed Certificate Configuration and enabling TLS verification for OpenID Connect and other authentication server connections. Optionally, upload or paste the TLS self-signed certificate to ensure proper validation. Additionally, upgrade NeuVector to version 5.4.8 or later, where TLS verification is enabled by default for new deployments. Note that rolling upgrades do not automatically enable TLS verification, so manual enabling is required to avoid service disruptions. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart