Admin with default credentials in NetBird VPN_CVE-2025-10678

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL.
This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.

This issue has been fixed in version 0.57.0

AI Analysis

Default admin account password not changed or removed in NetBird VPN

Basic Information

ID CVE-2025-10678

Source CERT-PL

Published Oct 20, 2025 at 15:41

Modified Oct 20, 2025 at 15:52

Affected Product

Vendor NetBird VPN

Product NetBird

Affected Versions NetBird VPN NetBird 0

CWE Classification

CWE-1392

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor NetBird

Product NetBird VPN

Version < 0.57.0

References

{
    "lastseen": "",
    "description": "NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL.\nThis issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.\n\nThis issue has been fixed in version 0.57.0",
    "published": "2025-10-20T15:41:31.149Z",
    "modified": "2025-10-20T15:52:13.566Z",
    "type": "cve",
    "title": "Admin with default credentials in NetBird VPN",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2025/10/CVE-2025-10678\nhttps://netbird.io/",
    "id": "CVE-2025-10678",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1392"
    ],
    "cvelist": null,
    "sourceData": "NetBird VPN NetBird 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "NetBird",
    "version": "0",
    "vendor": "NetBird VPN",
    "ai_description": "Default admin account password not changed or removed in NetBird VPN",
    "ai_severity": "Critical",
    "ai_vendor": "NetBird",
    "ai_product": "NetBird VPN",
    "ai_version": "< 0.57.0",
    "ai_score": 9.3
}