← Back
2026-02-25 10:33CVE-2025-67860suse
PUBLISHED5.2CWE-522

NeuVector scanner insecurely handles passwords as command arguments

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.

Problem type

Affected products

SUSE

harvester

< 4.072 - AFFECTED

References

bugzilla.suse.com

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67860

github.com

https://github.com/harvester/harvester/security/advisories/GHSA-3c9m-gq32-g4jx

GitHub Security Advisories

GHSA-3c9m-gq32-g4jx

NeuVector scanner insecurely handles passwords as command arguments

https://github.com/advisories/GHSA-3c9m-gq32-g4jx

Impact

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.

Important:

  • For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.
  • It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.

Please consult the associated MITRE ATT&CK – Technique – Credential Access and Unsecured Credentials for further information about this category of attack.

Patches

Patched versions include release v4.072 and above.

Starting from version v4.072, the scanner monitor process does not pass credentials to the scanner anymore. Instead, scanner process gets credentials information from environment variables, preventing them from being exposed through /proc/*/cmdline.

Workarounds

There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector scanner that contains the fix.

References

If you have any questions or comments about this advisory:

github.com

https://github.com/neuvector/scanner/security/advisories/GHSA-3c9m-gq32-g4jx

github.com

https://github.com/neuvector/scanner/commit/c2f0f9268468e49eb3addea923156123c4465794

github.com

https://github.com/neuvector/scanner/releases/tag/v4.072

github.com

https://github.com/advisories/GHSA-3c9m-gq32-g4jx

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-67860
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-67860",
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "dateUpdated": "2026-02-25T10:33:25.605Z",
    "dateReserved": "2025-12-12T14:23:59.780Z",
    "datePublished": "2026-02-25T10:33:25.605Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse",
        "dateUpdated": "2026-02-25T10:33:25.605Z"
      },
      "datePublic": "2026-02-12T21:14:00.000Z",
      "title": "NeuVector scanner insecurely handles passwords as command arguments",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<span style=\"background-color: rgb(255, 255, 255);\">A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. </span><br>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "SUSE",
          "product": "harvester",
          "packageName": "github.com/neuvector/scanner",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "4.0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "4.072"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "cweId": "CWE-522",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67860"
        },
        {
          "url": "https://github.com/harvester/harvester/security/advisories/GHSA-3c9m-gq32-g4jx"
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW"
          }
        }
      ]
    }
  }
}