Search
Find a vulnerability
Search criteria
2 vulnerabilities found for NetBird by NetBird VPN
CVE-2025-10678 (GCVE-0-2025-10678)
Vulnerability from nvd – Published: 2025-10-20 15:41 – Updated: 2025-10-20 15:52 X_Open Source
VLAI
Title
Admin with default credentials in NetBird VPN
Summary
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL.
This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.
This issue has been fixed in version 0.57.0
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1392 - Use of Default Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/10/CVE-2025-10678 | third-party-advisory |
| https://netbird.io/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NetBird VPN | NetBird |
Affected:
0 , < 0.57.0
(semver)
|
Date Public
2025-10-19 09:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:52:06.861232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:52:13.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"defaultStatus": "unaffected",
"packageName": "netbird",
"product": "NetBird",
"vendor": "NetBird VPN",
"versions": [
{
"lessThan": "0.57.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Sobieraj"
}
],
"datePublic": "2025-10-19T09:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NetBird VPN when installed using vendor\u0027s provided script failed to remove or change default password of an admin account created by ZITADEL.\u003cbr\u003eThis issue affects instances installed using vendor\u0027s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.\u003cbr\u003e\u003cbr\u003eThis issue has been fixed in version 0.57.0"
}
],
"value": "NetBird VPN when installed using vendor\u0027s provided script failed to remove or change default password of an admin account created by ZITADEL.\nThis issue affects instances installed using vendor\u0027s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.\n\nThis issue has been fixed in version 0.57.0"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1392",
"description": "CWE-1392: Use of Default Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:42:03.622Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/10/CVE-2025-10678"
},
{
"tags": [
"product"
],
"url": "https://netbird.io/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Admin with default credentials in NetBird VPN",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-10678",
"datePublished": "2025-10-20T15:41:31.149Z",
"dateReserved": "2025-09-18T08:50:24.259Z",
"dateUpdated": "2025-10-20T15:52:13.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10678 (GCVE-0-2025-10678)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:41 – Updated: 2025-10-20 15:52 X_Open Source
VLAI
Title
Admin with default credentials in NetBird VPN
Summary
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL.
This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.
This issue has been fixed in version 0.57.0
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1392 - Use of Default Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/10/CVE-2025-10678 | third-party-advisory |
| https://netbird.io/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NetBird VPN | NetBird |
Affected:
0 , < 0.57.0
(semver)
|
Date Public
2025-10-19 09:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:52:06.861232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:52:13.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"defaultStatus": "unaffected",
"packageName": "netbird",
"product": "NetBird",
"vendor": "NetBird VPN",
"versions": [
{
"lessThan": "0.57.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Sobieraj"
}
],
"datePublic": "2025-10-19T09:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NetBird VPN when installed using vendor\u0027s provided script failed to remove or change default password of an admin account created by ZITADEL.\u003cbr\u003eThis issue affects instances installed using vendor\u0027s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.\u003cbr\u003e\u003cbr\u003eThis issue has been fixed in version 0.57.0"
}
],
"value": "NetBird VPN when installed using vendor\u0027s provided script failed to remove or change default password of an admin account created by ZITADEL.\nThis issue affects instances installed using vendor\u0027s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.\n\nThis issue has been fixed in version 0.57.0"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1392",
"description": "CWE-1392: Use of Default Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:42:03.622Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/10/CVE-2025-10678"
},
{
"tags": [
"product"
],
"url": "https://netbird.io/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Admin with default credentials in NetBird VPN",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-10678",
"datePublished": "2025-10-20T15:41:31.149Z",
"dateReserved": "2025-09-18T08:50:24.259Z",
"dateUpdated": "2025-10-20T15:52:13.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}