6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54471

GHSA ID

GHSA-h773-7gf7-9m2x

EPSS Score

CWE

CWE-321

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54471

CVE-2025-54471: NeuVector is shipping cryptographic material into its binary

Impact

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.

During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.

If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log : Required Kubernetes RBAC for secrets are not found and exits.

The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.

Patches

Patched versions include release v5.4.7 and above.

Workarounds

There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.

References

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the NeuVector repository.
Verify with our support matrix and product support lifecycle.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54471

GHSA ID

GHSA-h773-7gf7-9m2x

EPSS Score

CWE

CWE-321

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/neuvector/neuvector	go	>= 5.3.0, <= 5.4.6	5.4.7
github.com/neuvector/neuvector	go	>= 0.0.0-20230727023453-1c4957d53911, < 0.0.0-20251020133207-084a437033b4	0.0.0-20251020133207-084a437033b4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GH-SA-h773-7gf7-9m2x, stems from NeuVector's use of a hard-coded cryptographic key for encrypting sensitive configurations and user tokens. My analysis of the provided patch commit 084a437033b491eeea11bdba1a09dd84ed12ea88 confirms this. The core of the issue lies in functions that performed encryption and decryption using a static, predictable key.

The patch introduces a new, more secure method of handling encryption keys by dynamically generating them and storing them in Kubernetes secrets. The new implementation uses AES-GCM, a modern and secure encryption algorithm.

I have identified the following key functions as vulnerable because they were either directly using the hardcoded key or were responsible for orchestrating the vulnerable encryption/decryption process:

common.(*EncryptMarshaller).Marshal: This function and its internal helpers were responsible for encrypting configuration data before persisting it. The patch reveals that it would fall back to using utils.EncryptPassword, the old method that relied on the hardcoded key.
common.(*DecryptUnmarshaller).Unmarshal and Uncloak: These functions were responsible for decrypting configuration data. The patch explicitly shows logic to handle data encrypted with the old method (utils.DecryptPassword), proving the existence and use of the weak encryption.
utils.EncryptUserToken and utils.DecryptUserToken: These functions were specifically used for handling user authentication tokens. The code changes clearly show the removal of a call to getPasswordSymKey(), which is where the hardcoded key was likely sourced from.

These functions would be the primary indicators in a runtime profile if the vulnerability were to be triggered. For example, during login or when sensitive configuration is saved or loaded, these functions would be on the call stack. The patch mitigates the vulnerability by replacing the static key with a dynamic key management system, significantly improving the security of the stored data.

Vulnerable functions

github.com/neuvector/neuvector/controller/common.(*EncryptMarshaller).Marshal

controller/common/marshal.go

This function is responsible for encrypting data before it is stored. The patch shows that it previously used `utils.EncryptPassword`, which relied on a hardcoded key. The new implementation uses `aesGcmEncrypt` with a dynamically generated key, but falls back to the vulnerable `utils.EncryptPassword` if the new key is not available. An attacker could potentially force a fallback to the weak encryption method.

github.com/neuvector/neuvector/controller/common.(*DecryptUnmarshaller).Unmarshal

controller/common/marshal.go

This function is responsible for decrypting data when it is read from storage. The patch shows that it contains logic to decrypt data that was encrypted with the old, vulnerable method (`utils.DecryptPassword`). This confirms that the system was using a weak, static encryption key.

WAF Protection Rules

WAF Rule

### Imp**t N*uV**tor us** * **r*-*o*** *rypto*r*p*i* k*y *m****** in t** sour** *o**. *t *ompil*tion tim*, t** k*y v*lu* w*s r*pl**** wit* t** s**r*t k*y v*lu* *n* us** to *n*rypt s*nsitiv* *on*i*ur*tions w**n N*uV**tor stor*s t** **t*. In t** p*t*

Reasoning

T** vuln*r**ility, i**nti*i** *s **-S*-****-****-*m*x, st*ms *rom N*uV**tor's us* o* * **r*-*o*** *rypto*r*p*i* k*y *or *n*ryptin* s*nsitiv* *on*i*ur*tions *n* us*r tok*ns. My *n*lysis o* t** provi*** p*t** *ommit `***********************************

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-54471: NeuVector is shipping cryptographic material into its binary

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI