Full Report
Use of Default Credentials vulnerability (CVE-2025-10678) has been found in NetBird VPN software.
Analysis Summary
# Vulnerability: Use of Default Credentials in NetBird VPN
## CVE Details
- CVE ID: CVE-2025-10678
- CVSS Score: Information on the CVSS score is not provided in the source material.
- CWE: CWE-1392 (Use of Default Credentials)
## Affected Systems
- Products: NetBird VPN
- Versions: All versions prior to 0.57.0
- Configurations: Instances installed using the vendor's provided script. May also affect instances created with Docker if the default admin password was not changed or the admin user was not removed.
## Vulnerability Description
The vulnerability stems from the NetBird VPN software failing to remove or change the default password associated with an administrative account created by the default identity provider, ZITADEL, when the software is installed using the vendor's provided installation script. This leaves the system susceptible to unauthorized access via known default credentials.
## Exploitation
- Status: Not explicitly stated, but carries a high risk due to default credentials.
- Complexity: Likely Low, given the nature of default credentials.
- Attack Vector: Network (Implied, as credential access often occurs over the network).
## Impact
*Note: Specific impact levels (None, Low, Medium, High, Critical) are not provided; assessed based on the CWE type.*
- Confidentiality: Potentially High (Unauthorized access to VPN configuration and potentially network traffic metadata).
- Integrity: Potentially High (Ability to alter system configuration).
- Availability: Potentially Medium (Risk of system shutdown or configuration disruption).
## Remediation
### Patches
- Patched in NetBird version **0.57.0** and later.
### Workarounds
- Manually remove or change the default password for the admin account created by ZITADEL on affected installations.
- For Docker installations, ensure the default admin user was removed or its password was changed immediately upon setup.
## Detection
- Detection methods are not specified, but system administrators should audit user accounts and credentials within the ZITADEL configuration component of NetBird installations.
- Indicators of compromise would include unauthorized logins or changes to the VPN configuration originating from the default administrative user account.
## References
- Vendor advisories: None linked directly, only the disclosure report source.
- Relevant links - defanged:
- [https://incydent.cert.pl/#!/lang=en](https://incydent.cert.pl/#!/lang=en)
- [https://www.cve.org/CVERecord?id=CVE-2025-10678](https://www.cve.org/CVERecord?id=CVE-2025-10678)
- [https://cwe.mitre.org/data/definitions/1392.html](https://cwe.mitre.org/data/definitions/1392.html)
- [https://cert.pl/en/cvd/](https://cert.pl/en/cvd/)