The vulnerability identified as CVE-2025-10678 (CWE-1392) affects NetBird VPN installations performed using the vendor's provided script. During installation, an administrative account created by the integrated identity provider ZITADEL is left with a default password that is neither removed nor changed. This default credential is well-known or easily guessable, allowing unauthenticated remote attackers to log in as administrators without any user interaction. The vulnerability also extends to Docker-based deployments if the default password remains unchanged or the user account is not deleted. Exploitation of this flaw grants attackers full administrative privileges, enabling them to manipulate VPN configurations, intercept or redirect traffic, deploy malicious payloads, and disrupt service availability. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical impact and ease of exploitation. The vendor addressed this issue in NetBird version 0.57.0 by ensuring the default credentials are removed or changed during installation. No known exploits have been reported in the wild yet, but the severity and nature of the flaw make it a high-risk target for attackers. Organizations using affected versions should prioritize upgrading and auditing their VPN deployments to mitigate potential breaches.

For European organizations, the impact of this vulnerability is significant. NetBird VPN is used to secure remote access and interconnect distributed networks, so compromise of administrative credentials can lead to unauthorized access to sensitive internal resources and data. Attackers gaining admin access can manipulate VPN configurations, intercept confidential communications, and potentially pivot to other internal systems, causing widespread data breaches and operational disruptions. This is particularly critical for sectors such as finance, healthcare, government, and critical infrastructure, where VPNs are integral to secure operations. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks and rapid compromise. Additionally, organizations relying on containerized deployments using Docker may be unaware of the default credential risk if they have not changed or removed the default admin user. The potential for data exfiltration, service disruption, and reputational damage is high, making this a critical threat to European enterprises and public sector entities.

1. Immediately upgrade all NetBird VPN installations to version 0.57.0 or later, where the vulnerability is fixed. 2. For existing deployments, verify that no default admin accounts with default passwords remain; remove or change these credentials promptly. 3. Audit Docker-based NetBird deployments to ensure default users are removed or passwords changed. 4. Implement network segmentation to limit VPN administrative interface exposure to trusted management networks only. 5. Employ multi-factor authentication (MFA) for VPN administrative access to add an additional security layer. 6. Monitor VPN logs for any unauthorized access attempts or suspicious activities related to admin accounts. 7. Educate system administrators on the risks of default credentials and enforce secure installation and configuration procedures. 8. Regularly review and update VPN configurations and credentials as part of routine security hygiene. 9. Consider deploying intrusion detection/prevention systems to detect exploitation attempts targeting this vulnerability. 10. Maintain an incident response plan to quickly contain and remediate any compromise resulting from this vulnerability.