CVE-2025-66001
📋 TL;DR
This vulnerability in NeuVector's OpenID Connect implementation allows man-in-the-middle attacks by not enforcing TLS certificate verification by default. Attackers can intercept authentication traffic to potentially steal credentials or impersonate users. All NeuVector deployments using OpenID Connect authentication are affected.
💻 Affected Systems
- NeuVector
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept authentication traffic, steal administrator credentials, gain full control of NeuVector cluster, and potentially pivot to underlying Kubernetes infrastructure.
Likely Case
Credential theft leading to unauthorized access to NeuVector management interface, allowing attackers to modify security policies, disable protections, or exfiltrate sensitive container security data.
If Mitigated
With TLS verification enabled, authentication remains secure, but configuration errors could still expose the system if verification is disabled.
🎯 Exploit Status
Exploitation requires network position to intercept TLS traffic between NeuVector and OpenID Connect provider. Standard MITM techniques apply.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.2 and later
Vendor Advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5
Restart Required: Yes
Instructions:
1. Upgrade NeuVector to version 5.4.2 or later. 2. Verify TLS verification is enabled in OpenID Connect configuration. 3. Restart NeuVector services.
🔧 Temporary Workarounds
Enable TLS Verification
allManually enable TLS certificate verification in OpenID Connect configuration
Edit NeuVector configuration to set 'verify_cert' to true in OpenID Connect settings
Network Segmentation
allIsolate NeuVector management traffic from potential MITM attack vectors
Configure network policies to restrict traffic between NeuVector and OpenID Connect provider to trusted paths only
🧯 If You Can't Patch
- Enable TLS certificate verification in OpenID Connect configuration immediately
- Implement network monitoring for suspicious authentication traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check NeuVector version (must be <5.4.2) and verify OpenID Connect configuration has 'verify_cert' set to false or unspecifiedCheck Version:
kubectl get pods -n neuvector -l app=neuvector-controller -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Confirm version is 5.4.2+ and OpenID Connect configuration shows 'verify_cert: true'📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with certificate validation errors
- Unexpected OpenID Connect provider changes
Network Indicators:
- Unencrypted or improperly encrypted authentication traffic to/from OpenID Connect endpoints
- Suspicious MITM activity in network segments containing NeuVector
SIEM Query:
source="neuvector" AND ("certificate" OR "TLS" OR "OpenID") AND ("fail" OR "error" OR "invalid")