CVE-2025-62877
📋 TL;DR
CVE-2025-62877 exposes the default SSH login password in SUSE Harvester virtualization environments when using the interactive installer (1.5.x or 1.6.x) to create new clusters or add hosts. This allows attackers to gain unauthorized access to affected systems. Only environments using the interactive installer are affected - PXE boot installations remain secure.
💻 Affected Systems
- SUSE Harvester (Virtualization Platform)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Harvester cluster, allowing attackers to access all virtual machines, steal sensitive data, deploy ransomware, or use the infrastructure for further attacks.
Likely Case
Unauthorized SSH access to Harvester nodes, enabling privilege escalation, configuration manipulation, and lateral movement within the virtualization environment.
If Mitigated
Limited impact if strong network segmentation, firewall rules, and monitoring are in place to detect and block unauthorized SSH attempts.
🎯 Exploit Status
Exploitation requires knowledge of the default SSH password, which is exposed through the vulnerability. No authentication bypass needed once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Harvester 1.6.2 or later versions
Vendor Advisory: https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv
Restart Required: Yes
Instructions:
1. Backup your Harvester configuration and data. 2. Update Harvester to version 1.6.2 or later using the official update mechanism. 3. Restart all Harvester services and nodes. 4. Change all SSH passwords on affected systems.
🔧 Temporary Workarounds
Change Default SSH Passwords
linuxImmediately change all default SSH passwords on Harvester nodes to strong, unique passwords.
passwd
ssh-keygen -t rsa -b 4096
Restrict SSH Access
linuxConfigure firewall rules to restrict SSH access to trusted IP addresses only.
iptables -A INPUT -p tcp --dport 22 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Immediately change all default SSH passwords and implement strong password policies
- Implement network segmentation and firewall rules to restrict SSH access to management networks only
🔍 How to Verify
Check if Vulnerable:
Check if using Harvester 1.5.x or 1.6.x with interactive installer. Review installation logs for interactive installer usage.Check Version:
harvester versionVerify Fix Applied:
Verify Harvester version is 1.6.2 or later using 'harvester version' command. Confirm SSH passwords have been changed from defaults.📡 Detection & Monitoring
Log Indicators:
- Failed SSH login attempts with default credentials
- Successful SSH logins from unexpected sources
- Interactive installer usage in installation logs
Network Indicators:
- SSH connections to Harvester nodes from unauthorized IPs
- Brute-force attempts on SSH port 22
SIEM Query:
source="auth.log" AND ("Failed password" OR "Accepted password") AND ("root" OR default_user) AND destination_ip="HARVESTER_NODE_IP"