CVE-2025-54471

Name of the Vulnerable Software and Affected Versions NeuVector versions prior to 5.4.7

Description NeuVector utilized a hard-coded cryptographic key within its source code. During compilation, this key was replaced with a secret key and used to encrypt sensitive configurations when stored. The patched version leverages the Kubernetes secret neuvector-store-secret in the neuvector namespace to dynamically generate cryptographically secure random keys, removing the reliance on static key values. The NeuVector controller checks encrypted configured fields during upgrades or restores, decrypting them with the default key and re-encrypting them with the new dynamic key. If the controller lacks the necessary RBAC permissions to access the new secret, an error log is generated: Required Kubernetes RBAC for secrets are not found and the controller exits. The device encryption key is rotated every 3 months.

Recommendations Upgrade to NeuVector version 5.4.7 or later.