CRITICAL🇵🇱 Wersja polska

CVE-2025-62877

CVSS 9.8v3.1pub. 2026-01-08upd. 2026-04-15

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

🤖 AI Analysis
How it works

The vulnerability (CWE-1188 — initialization with insecure default value) occurs when using the interactive installer in versions 1.5.x and 1.6.x, both when creating a new cluster and when adding new hosts to an existing cluster. During this process, the default SSH password of the operating system may be disclosed. The environment is not vulnerable if the PXE boot mechanism is used in conjunction with Harvester configuration to start the system.

Impact

An attacker who obtains the disclosed SSH password can log into cluster nodes without authorization, posing a risk of complete takeover of the virtualization infrastructure, as well as breaches of data confidentiality and system integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Until updates are applied, it is recommended to use the PXE boot mechanism with Harvester configuration instead of the interactive installer, and to immediately change default SSH passwords on all cluster nodes installed using the interactive installer in versions 1.5.x or 1.6.x.

Who is affected

SUSE Virtualization (Harvester) in versions 1.5.x and 1.6.x when the interactive installer is used for installation or cluster expansion. Environments using the PXE boot mechanism with Harvester configuration are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References