CVE-2025-62877 in harvester
Summary
by MITRE • 01/08/2026
Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/08/2026
CVE-2025-62877 represents a critical security vulnerability within the SUSE Virtualization (Harvester) environment that affects specific versions of the interactive installer. This flaw manifests when administrators use the 1.5.x or 1.6.x installer to either establish new clusters or integrate additional hosts into existing deployments. The vulnerability stems from the installer's default configuration that provisions systems with pre-defined SSH credentials, creating an inherent security risk that persists throughout the cluster lifecycle. The issue is particularly concerning because it operates at the foundational level of cluster deployment, potentially exposing all nodes to unauthorized access if proper configuration practices are not followed during installation. This vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials, and represents a significant deviation from secure configuration management principles that should be enforced during infrastructure provisioning.
The technical implementation of this vulnerability occurs through the interactive installer's handling of default authentication parameters during cluster creation or host addition processes. When the installer defaults to using standard SSH credentials rather than generating unique authentication tokens for each system, it creates a persistent attack surface that adversaries can exploit. The vulnerability does not affect deployments that utilize the PXE boot mechanism combined with proper Harvester configuration setup, indicating that the issue is specifically tied to the interactive installer's execution path rather than the underlying virtualization platform itself. This selective impact suggests that the flaw exists within the installer's credential management logic rather than in the core Harvester components, making it a configuration and deployment tool vulnerability rather than a fundamental platform weakness.
The operational impact of CVE-2025-62877 extends beyond immediate unauthorized access capabilities to encompass broader security implications for virtualized environments. Once an attacker discovers and exploits the default SSH credentials, they gain privileged access to the affected systems, potentially enabling lateral movement within the cluster, data exfiltration, or disruption of critical services. The vulnerability's persistence across both new cluster creation and host addition scenarios means that organizations may unknowingly deploy vulnerable systems repeatedly, creating multiple attack vectors. This weakness directly contradicts the principle of least privilege and secure by default configurations that should be inherent in modern virtualization platforms. The vulnerability also aligns with ATT&CK technique T1078.004, which addresses valid accounts with default passwords, and represents a significant risk to organizations that rely on automated deployment processes without proper credential management protocols.
Organizations affected by this vulnerability should immediately implement several mitigation strategies to reduce exposure risk. The primary recommendation involves transitioning from the vulnerable interactive installer versions to either patched releases or utilizing the PXE boot mechanism with proper configuration management. System administrators must ensure that all new cluster deployments and host additions follow secure configuration practices that generate unique authentication credentials rather than relying on defaults. The remediation process should include comprehensive credential rotation for any systems that may have been provisioned using the vulnerable installer versions, as well as implementing automated security scanning to detect and prevent future deployments using default credentials. Additionally, organizations should establish strict deployment validation procedures that verify installer configurations and authentication settings before system activation, ensuring that default credentials are never exposed in production environments. The vulnerability serves as a reminder of the critical importance of secure configuration management and the need for robust credential handling practices in virtualized infrastructure deployments.