CVE-2025-8077: 
Wolfi vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-8077) has been identified in NeuVector versions up to and including 5.4.5, with a CVSS score of 9.8. The vulnerability stems from the use of a fixed string as the default password for the built-in admin account in this open-source container security platform integrated with Rancher. The flaw was discovered and disclosed in September 2025, affecting all NeuVector deployments that haven't changed their default administrative credentials (GitHub Advisory, Security Online).

The vulnerability exists due to a hardcoded default password mechanism in the admin account. When NeuVector fails to retrieve the bootstrap password from the Kubernetes Secret (neuvector-bootstrap-secret), it falls back to using a fixed default password. This implementation allows any workload with network access within the cluster to use these default credentials to obtain an authentication token, which can then be used to perform administrative operations through NeuVector APIs (GitHub Advisory, Debian Security).

The exploitation of this vulnerability could lead to a full compromise of Kubernetes clusters. An attacker who successfully obtains the authentication token can perform any administrative operation, effectively taking control of the security platform and undermining protections across the entire Kubernetes environment (Security Online).

The vulnerability has been patched in NeuVector version 5.4.6 and later releases. The fix introduces new Kubernetes RBAC permissions to ensure bootstrap passwords are securely managed through Secrets. For organizations running vulnerable versions, immediate manual intervention is required by logging into the NeuVector UI after deployment and updating the default admin password. The patched version also implements automatic secure password generation if bootstrapPassword is not set in the neuvector-bootstrap-secret (GitHub Advisory, Security Online).