CVE-2025-10678 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-10678 PUBLISHED CVSS 9.300000190734863 CRITICAL

NetBird VPN does not remove the default password of an admin account

EPSS 0.06% · 17.6th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.06%

17.6th percentile

Affected Products

Vendor	Product	Versions
github.com	netbirdio/netbird	0
NetBird VPN	NetBird	0

Timeline

Oct 20, 2025 CVE Published
Oct 20, 2025 Coalition ESS Score
Oct 20, 2025 PoC Published
Oct 20, 2025 PoC Published
Oct 21, 2025 EPSS Score
Oct 21, 2025 PoC Published
Oct 22, 2025 Coalition ESS Score
Oct 26, 2025 EPSS Score
Oct 27, 2025 Coalition ESS Score
Nov 1, 2025 EPSS Score
Nov 6, 2025 EPSS Score
Nov 10, 2025 CVE Updated

References

https://cert.pl/en/posts/2025/10/CVE-2025-10678 third-party-advisory
https://netbird.io/ url
https://nvd.nist.gov/vuln/detail/CVE-2025-10678 advisory
https://github.com/netbirdio/netbird/commit/cf7f6c355f713e83cf171b79e08dac60b316e4fd url
https://github.com/netbirdio/netbird package
https://netbird.io url

Open in Interactive Console →