CVE-2025-67601 is a vulnerability classified under CWE-295 (Improper Certificate Validation) found in SUSE Rancher Manager, specifically affecting versions 0 through 2.13.0. The issue arises when administrators use self-signed CA certificates and invoke the Rancher CLI login command with the -skip-verify flag but omit the –cacert flag. Under these conditions, the CLI attempts to retrieve CA certificates from Rancher’s internal settings (cacerts), which may be manipulated or insufficiently validated. This improper validation can lead to a man-in-the-middle (MITM) attack or allow an attacker to impersonate Rancher servers, compromising the TLS trust model. The vulnerability affects the confidentiality, integrity, and availability of Rancher-managed environments by potentially exposing sensitive data, allowing unauthorized command execution, or disrupting cluster management operations. The CVSS v3.1 score of 8.3 reflects a high severity due to network attack vector, high impact on all security properties, and the requirement of user interaction but no privileges. Although no exploits are currently known in the wild, the vulnerability presents a significant risk given Rancher’s widespread use in container orchestration and Kubernetes management. The flaw stems from a design oversight in how the CLI handles certificate verification flags and CA certificate sources, emphasizing the need for strict validation and explicit certificate specification when bypassing verification.

The vulnerability could allow attackers to perform man-in-the-middle attacks by exploiting improper certificate validation, leading to interception or manipulation of sensitive data transmitted between Rancher CLI clients and Rancher servers. This can compromise the confidentiality of credentials and cluster information, integrity of commands and configurations, and availability of Rancher-managed services. Organizations relying on Rancher for Kubernetes cluster management could face unauthorized access, cluster disruption, or data breaches. Given Rancher’s role in container orchestration, exploitation could cascade to compromise containerized applications and infrastructure. The requirement for user interaction (CLI login) limits automated exploitation but does not eliminate risk, especially in environments where CLI usage is frequent and automated scripts might be misconfigured. The high CVSS score reflects the broad impact and potential for serious operational disruption and data compromise.

Organizations should immediately audit their use of the Rancher CLI login command, ensuring that when the -skip-verify flag is used, the –cacert flag is also explicitly provided with a trusted CA certificate to prevent fallback to insecure certificate sources. Avoid using self-signed certificates where possible; instead, use certificates issued by trusted certificate authorities. Update Rancher Manager and CLI tools to the latest patched versions once available from SUSE. Implement strict network segmentation and monitoring around Rancher management interfaces to detect anomalous certificate or network activity. Educate administrators and DevOps teams on secure certificate handling and the risks of bypassing TLS verification. Consider integrating automated checks in CI/CD pipelines to flag insecure CLI usage patterns. Finally, monitor SUSE advisories for patches or additional guidance and apply them promptly.