CVE-2025-66001
TLS Verification Bypass in NeuVector OpenID Connect Enables MITM Attacks
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neuvector | neuvector | From 5.3.0 (inc) to 5.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in NeuVector's OpenID Connect authentication occurs because TLS verification, which ensures the authenticity and integrity of the remote server, is not enforced by default. This improper certificate validation (CWE-295) allows attackers to perform man-in-the-middle (MITM) attacks by intercepting and potentially manipulating authentication traffic. [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to serious security impacts including unauthorized access and data compromise. Because TLS verification is not enforced by default, attackers can intercept authentication traffic via MITM attacks, potentially compromising confidentiality, integrity, and availability of the system. The CVSS score of 8.8 indicates a high severity with network attack vector, low attack complexity, and no privileges required. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if TLS verification is enabled for OpenID Connect authentication in NeuVector. Since TLS verification is disabled by default in affected versions (5.3.0 up to but not including 5.4.8), you should verify the NeuVector UI settings under Settings > Configuration > TLS Self-Signed Certificate Configuration. There are no specific commands provided in the resources to detect this vulnerability on the network or system. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately enable TLS verification in NeuVector. This can be done via the NeuVector UI by navigating to Settings > Configuration > TLS Self-Signed Certificate Configuration and enabling TLS verification for OpenID Connect and other authentication server connections. Optionally, upload or paste the TLS self-signed certificate to ensure proper validation. Additionally, upgrade NeuVector to version 5.4.8 or later, where TLS verification is enabled by default for new deployments. Note that rolling upgrades do not automatically enable TLS verification, so manual enabling is required to avoid service disruptions. [1]