Critical NeuVector RCE Flaw (CVE-2025-54469, CVSS 10.0) Allows Command Injection via Unsanitized Environment Variables

The SUSE Rancher Security team has issued a critical advisory addressing a command injection and buffer overflow vulnerability in NeuVector, the company’s full lifecycle container security platform.

Tracked as CVE-2025-54469, the flaw carries the maximum CVSS score of 10.0, reflecting the potential for remote code execution and complete container compromise if exploited.

“A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values,” the advisory explains.

The flaw resides in the Enforcer container’s monitor process, which is responsible for managing internal subprocesses such as the Consul service. When the Enforcer container stops, this monitor checks whether the Consul subprocess has exited by executing a shell command via the popen() function.

However, SUSE found that the values of the environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT were inserted directly into the shell command—without any input validation or sanitization.

“The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization,” SUSE warns. “This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container.”

This design flaw effectively enables arbitrary command injection, allowing attackers with access to modify these environment variables to execute unauthorized shell commands as part of the Enforcer’s startup routine.

Exploitation of CVE-2025-54469 could grant an attacker root-level code execution within the Enforcer container, potentially leading to:

• Complete compromise of the containerized environment.
• Lateral movement within the Kubernetes cluster.
• Tampering with NeuVector’s runtime security enforcement.
• Privilege escalation if the container runs with elevated permissions.

Given NeuVector’s role in protecting containerized workloads and enforcing runtime policies, this vulnerability poses a particularly severe risk to DevSecOps pipelines and production-grade Kubernetes deployments.

SUSE has released a fix in NeuVector version v5.4.7 and later, where the monitor process now validates the values of both environment variables before executing shell commands.

Related Posts:

• CVE-2025-8077 (CVSS 9.8): CRITICAL Flaw in NeuVector Exposes Kubernetes Clusters to Full Takeover
• NeuVector CVE-2023-32188: A Critical Bug That Can Allow RCE
• Critical SUSE Manager Flaw (CVSS 9.8) Allows Unauthenticated Root RCE on All Clients – PoC Available!
• SUSE Linux Enterprise High Performance Computing Open Beta