VYPR
Vendor

Neuvector

Products
1
CVEs
10
Across products
10
Status
Private

Products

1

Recent CVEs

10
  • CVE-2025-54469CriOct 30, 2025
    risk 0.57cvss 9.9epss 0.00

    A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor …

  • CVE-2025-8077CriSep 17, 2025
    risk 0.57cvss 9.8epss 0.01

    A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could…

  • CVE-2023-32188CriOct 16, 2024
    risk 0.54cvss epss 0.00

    A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.

  • CVE-2025-66001HigJan 8, 2026
    risk 0.50cvss 8.8epss 0.00

    NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.

  • CVE-2025-54470HigOct 30, 2025
    risk 0.49cvss 8.6epss 0.00

    This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate…

  • CVE-2025-54471MedOct 30, 2025
    risk 0.35cvss 6.5epss 0.00

    NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

  • CVE-2025-54467MedSep 17, 2025
    risk 0.27cvss 5.3epss 0.00

    When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.

  • CVE-2025-53884MedSep 17, 2025
    risk 0.27cvss 5.3epss 0.00

    NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

  • CVE-2023-22644Sep 20, 2023
    risk 0.00cvss epss 0.00

    A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.

  • CVE-2019-19747Dec 20, 2019
    risk 0.00cvss epss 0.01

    NeuVector 3.1 when configured to allow authentication via Active Directory, does not enforce non-empty passwords which allows an attacker with access to the Neuvector portal to authenticate as any valid LDAP user by providing a valid username and an empty password (provided that…