CVE-2025-62877 PUBLISHED

Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer

Assigner: suse
Reserved: 24.10.2025 Published: 08.01.2026 Updated: 08.01.2026

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SUSE
Product	harvester
Versions	Default: unaffected Version 1.6.0 is affected Version 1.5.0 is affected

References

Problem Types

CWE-1188: Initialization of a Resource with an Insecure Default CWE