CVE-2025-67601

High

Published: 25 February 2026

Published

25 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 1.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67601 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Suse Rancher. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match

prevent

SC-17 mandates validation of PKI certificates by verifying certification paths to trust anchors, directly preventing improper certificate validation during Rancher CLI login with self-signed CAs.

IA-5 Authenticator Management partial match

prevent

IA-5 requires management and protection of authenticators including PKI certificates, mitigating mishandling of self-signed CAs and CLI flags like -skip-verify.

SC-8 Transmission Confidentiality and Integrity partial match

prevent

SC-8 enforces cryptographic protection for transmission confidentiality and integrity during remote CLI login sessions, addressing risks from failed certificate validation.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Improper certificate validation (CWE-295) in Rancher CLI directly enables adversary-in-the-middle attacks by allowing spoofed or untrusted Rancher endpoints when -skip-verify is used without --cacert.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert flag results in the CLI attempting to fetch CA certificates stored…

in Rancher’s setting cacerts.

Deeper analysisAI

CVE-2025-67601 is a vulnerability in Rancher Manager that affects the Rancher CLI during login operations. Specifically, when self-signed CA certificates are in use, passing the -skip-verify flag to the Rancher CLI login command without also specifying the --cacert flag causes the CLI to attempt fetching CA certificates from Rancher’s cacerts setting. This issue corresponds to CWE-295 (Improper Certificate Validation) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). The vulnerability was published on 2026-02-25.

Attackers can exploit this vulnerability over the network with no required privileges, though it demands high attack complexity and user interaction, such as tricking a user into executing the flawed CLI login command. Scope changes upon successful exploitation (S:C), enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially compromising certificate validation and secure connections to Rancher Manager.

Mitigation details are available in related advisories, including the SUSE Bugzilla entry at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67601 and the Rancher GitHub security advisory at https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p.