CVE-2025-67601
Published: 25 February 2026
Summary
CVE-2025-67601 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Suse Rancher. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-67601 is a vulnerability in Rancher Manager that affects the Rancher CLI during login operations. Specifically, when self-signed CA certificates are in use, passing the -skip-verify flag to the Rancher CLI login command without also specifying the --cacert flag causes the CLI to attempt fetching CA certificates from Rancher’s cacerts setting. This issue corresponds to CWE-295 (Improper Certificate Validation) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). The vulnerability was published on 2026-02-25.
Attackers can exploit this vulnerability over the network with no required privileges, though it demands high attack complexity and user interaction, such as tricking a user into executing the flawed CLI login command. Scope changes upon successful exploitation (S:C), enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially compromising certificate validation and secure connections to Rancher Manager.
Mitigation details are available in related advisories, including the SUSE Bugzilla entry at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67601 and the Rancher GitHub security advisory at https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208112
Vulnerability details
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert flag results in the CLI attempting to fetch CA certificates stored…
more
in Rancher’s setting cacerts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate validation (CWE-295) in Rancher CLI directly enables adversary-in-the-middle attacks by allowing spoofed or untrusted Rancher endpoints when -skip-verify is used without --cacert.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-17 mandates validation of PKI certificates by verifying certification paths to trust anchors, directly preventing improper certificate validation during Rancher CLI login with self-signed CAs.
IA-5 requires management and protection of authenticators including PKI certificates, mitigating mishandling of self-signed CAs and CLI flags like -skip-verify.
SC-8 enforces cryptographic protection for transmission confidentiality and integrity during remote CLI login sessions, addressing risks from failed certificate validation.