CVE-2025-8077: NeuVector admin account has insecure default password

August 28, 2025 (updated September 17, 2025)

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.

In earlier versions, NeuVector supports setting the default (bootstrap) password for the admin account using a Kubernetes Secret named neuvector-bootstrap-secret. This Secret must contain a key named bootstrapPassword. However, if NeuVector fails to retrieve this value, it falls back to the fixed default password.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-8077 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →