← back
CVE-2025-62877

Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer

CVSS 9.8 CRITICALEPSS 0.5%CWE-1188
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.5%KEV nãoPoC Patch
Lifecycle
08 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
SUSE · harvester

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv