9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62877

CVE-2025-62877: Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62877

CVE-2025-62877:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/harvester/harvester-installer	go	>= 1.6.0, <= 1.6.1
github.com/harvester/harvester-installer	go	>= 1.5.0, <= 1.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a critical logic flaw in the Harvester interactive installer's workflow. The installer would activate the host's networking services before forcing the user to change the default operating system password. This created a time window during installation where an attacker on the local network could gain remote shell access (SSH) using the default, well-known credentials.

The analysis of the patches between the last vulnerable version (v1.6.1) and the first fixed version (v1.7.0) revealed commit 69020d8444b0aef838ceea60a21334e5e500d60e, which explicitly refactors the installer's UI navigation.

The core of the fix involves reordering the installation steps. The functions console.addAskCreatePanel and console.addAskRolePanel, which control the initial installation path, were modified to direct the user to a password change screen (showPasswordPage) immediately after the initial setup choice. Previously, they would proceed to disk and network configuration first. This change ensures that the default password is changed before the host becomes accessible over the network, effectively closing the vulnerability window. The console.passwordWrapper.passwordConfirmVKeyEnter function was also updated to apply the password change immediately and continue the new, secure installation flow.

Vulnerable functions

console.addAskCreatePanel

pkg/console/install_panels.go

This function handles the UI flow for creating a new cluster. In the vulnerable version, it would proceed to disk and network configuration before prompting the user to change the default password. This created a window of opportunity for remote SSH access using default credentials once networking was enabled. The patch changes the navigation to force a password change before any other configuration.

console.addAskRolePanel

pkg/console/install_panels.go

This function handles the UI flow for joining a node to an existing cluster. Similar to creating a cluster, the vulnerable version would configure networking before requiring a password change, exposing the node to potential unauthorized access. The patch reorders the steps to ensure the password is changed before proceeding to network-dependent configurations.

console.passwordWrapper.passwordConfirmVKeyEnter

pkg/console/helper.go

This method is triggered when the user confirms their new password. While not the root cause, its position in the installer workflow was critical to the vulnerability. The patch modifies this function to immediately apply the new password to the system (using the new `applyPassword` function) and then navigate to the next step in the corrected installation order, which is now before network configuration.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62877: Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer

CVE-2025-62877:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

CVE-2025-62877: Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

9.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI