CVE-2025-10678: 
vulnerability analysis and mitigation

NetBird VPN contains a security vulnerability (CVE-2025-10678) where the vendor's provided installation script fails to remove or change the default password of an admin account created by ZITADEL identity provider. This vulnerability affects instances installed using the vendor's provided script and potentially affects Docker installations if the default password was not changed or the admin user was not removed. The vulnerability was discovered and reported to CERT Polska, with public disclosure on October 20, 2025. The issue has been fixed in NetBird version 0.57.0 (CERT Advisory).

The vulnerability is classified as CWE-1392 (Use of Default Credentials) and has received a CVSS 4.0 Base Score of 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability stems from the installation process, specifically in the infrastructure_files/getting-started-with-zitadel.sh script, which fails to remove the default zitadel-admin user created during the initial setup (CERT Advisory, Miggo Analysis).

The presence of default credentials could allow unauthorized access to the NetBird VPN administrative interface, potentially compromising the entire VPN infrastructure. With high vulnerability scores for confidentiality, integrity, and availability (VC:H/VI:H/VA:H), successful exploitation could give attackers full control over the VPN system (CERT Advisory).

Users should immediately upgrade to NetBird version 0.57.0 or later, which addresses this vulnerability. For systems that cannot be immediately upgraded, administrators should manually remove the default zitadel-admin user or change its password. This is particularly important for Docker installations where the default credentials might still be present (CERT Advisory).