A newly disclosed security flaw in Rancher Manager, tracked as CVE-2025-67601, could expose administrator login credentials during Rancher CLI login operations This article explores credentials rancher cli. . The issue has been rated High severity and was published under advisory GHSA-mc24-7m59-4q5p by samjustus last week.

The flaw affects Rancher Manager packages in the Go ecosystem, specifically within the GitHub repository github.com/rancher/rancher. It occurs when a user logs into Rancher CLI using the command rancher login with the --skip-verify flag, but without the --cacert flag. Under these conditions, the CLI attempts to fetch CA certificates from Rancher Manager’s internal settings (cacerts), bypassing crucial TLS validation. This vulnerability makes the TLS handshake process vulnerable to interception.

A Man-in-the-Middle (MITM) attack could be carried out by a remote attacker who can put themselves between the Rancher CLI and Rancher Manager, possibly obtaining session tokens and basic authentication headers during login. This exposure directly threatens the confidentiality and integrity of the environment, allowing threat actors unauthorized access to Rancher clusters. Technical Impact and Mitigation When connecting using Rancher CLI, the vulnerability's impact is linked to incorrect TLS certificate validation.

The CLI automatically retrieves trusted CA certificates from the Rancher Manager when the --skip-verify flag is set, disabling server certificate verification. An attacker could return a malicious CA they control to pose as a trusted service. Such an attack aligns with the MITRE ATT&CK technique T1557 (Man-in-the-Middle), enabling interception or modification of data during communication.

This kind of compromise could reveal private administrative credentials or enable cluster configuration manipulation. Field Details CVE ID CVE-2025-67601 Advisory GHSA-mc24-7m59-4q5p Severity High The Rancher development team has released patched versions that remove the automatic CA certificate fetching behavior for the login command. Going forward, administrators must explicitly supply CA certificates when connecting to Rancher Manager using self-signed certificates.

Patched Versions: v2.13.2 v2.12.6 v2.11.10 v2.10.11 When executing rancher logi, users should always include the –cacert flag with a valid CA certificate, especially in environments using self-signed CAs, if upgrading is not immediately possible. Security teams are urged to validate whether Rancher CLI connections occur over untrusted networks and to upgrade to the latest stable release as soon as possible.