Critical severity9.8GHSA Advisory· Published Sep 17, 2025· Updated Apr 15, 2026

CVE-2025-8077

Description

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/neuvector/neuvectorGo	>= 5.0.0, < 5.4.6	5.4.6
github.com/neuvector/neuvectorGo	< 0.0.0-20250825191744-da1a462074c3	0.0.0-20250825191744-da1a462074c3

Affected products

Neuvector/NeuvectorGHSA
Range: < 0.0.0-20250825191744-da1a462074c3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8pxw-9c75-6w56ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-8077ghsaADVISORY
bugzilla.suse.com/show_bug.cginvdWEB
github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000