CVE-2025-54470

CWE-295Improper Certificate ValidationCWE-770Allocation without Limits5 documents4 sources
Severity
8.6HIGH
EPSS
0.1%
top 78.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse NeuvectorGithub.com Neuvector/neuvector
Timeline
PublishedOct 30

Description

This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

CVEListV5suse/neuvector5.3.05.3.5+2
Gogithub.com/neuvector/neuvector5.3.05.3.5+2

🔴Vulnerability Details

4
OSV
NeuVector telemetry sender is vulnerable to MITM and DoS in github.com/neuvector/neuvector2025-10-30
CVEList
NeuVector telemetry sender is vulnerable to MITM and DoS2025-10-30
GHSA
NeuVector telemetry sender is vulnerable to MITM and DoS2025-10-21
OSV
NeuVector telemetry sender is vulnerable to MITM and DoS2025-10-21
CVE-2025-54470 (HIGH CVSS 8.6) | This vulnerability affects NeuVecto | cvebase.io