CVE-2025-9276
CRITICALDescription
Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image. The specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22195.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| cockroachlabs | cockroach-k8s-request-cert |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-9276? +
How severe is CVE-2025-9276? +
What products are affected by CVE-2025-9276? +
How do I check if I'm vulnerable to CVE-2025-9276? +
Related Vulnerabilities
The password is empty in the initial configuration of ACERA 9010-08 firmware v02.04 and earlier, and ACERA 9010-24 firmware v02.04 …
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 …
Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access …
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to …
A vulnerability has been found in FAST/TOOLS and CI Server. The affected products have built-in accounts with no passwords set. …