CVE-2025-67860
📋 TL;DR
NeuVector scanner exposes sensitive credentials via command-line arguments, allowing local users on the same system to view registry and controller credentials. This affects NeuVector deployments where the scanner process runs with command-line arguments containing credentials.
💻 Affected Systems
- NeuVector
- Harvester (when using NeuVector)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attackers gain access to container registry and controller credentials, potentially compromising container images and NeuVector management infrastructure.
Likely Case
Malicious local users or compromised processes harvest credentials from process listings, leading to unauthorized access to container registries.
If Mitigated
Limited to credential exposure on already-compromised systems with local access.
🎯 Exploit Status
Exploitation requires local access to view process command-line arguments via tools like ps or /proc filesystem.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisories for specific fixed versions
Vendor Advisory: https://github.com/harvester/harvester/security/advisories/GHSA-3c9m-gq32-g4jx
Restart Required: Yes
Instructions:
1. Update NeuVector to patched version. 2. Update Harvester if using integrated NeuVector. 3. Restart scanner processes.
🔧 Temporary Workarounds
Restrict process visibility
linuxLimit access to process information via kernel parameters
sysctl kernel.yama.ptrace_scope=2
mount -o remount,hidepid=2 /proc
Use environment variables
linuxConfigure scanner to read credentials from environment variables instead of command-line
export NV_REGISTRY_CREDS=...
export NV_CONTROLLER_CREDS=...
🧯 If You Can't Patch
- Restrict local user access to scanner hosts
- Monitor process listings for credential exposure
🔍 How to Verify
Check if Vulnerable:
Check if scanner process shows credentials in command-line: ps aux | grep neuvector-scannerCheck Version:
docker inspect neuvector/scanner:latest | grep -i versionVerify Fix Applied:
Verify updated version and check that credentials no longer appear in process listings📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts using scanner credentials
- Unexpected registry access
Network Indicators:
- Unusual registry pull patterns from scanner hosts
SIEM Query:
process.command_line CONTAINS 'password' OR process.command_line CONTAINS 'cred' AND process.name='neuvector-scanner'