Hewlett Packard Enterprise (HPE) has disclosed a extreme safety flaw in its Efficiency Cluster Supervisor (HPCM) software program that would enable attackers to bypass authentication and acquire unauthorized distant entry to delicate techniques.
The vulnerability, tracked as CVE-2025-27086, impacts HPCM variations 1.12 and earlier, posing vital dangers to enterprises counting on the instrument for high-performance computing (HPC) cluster administration.
Vulnerability Particulars and Dangers
The flaw resides within the HPCM graphical person interface (GUI), enabling malicious actors to use weak authentication mechanisms remotely. With a CVSS v3.1 rating of 8.1 (Excessive severity), attackers might leverage this difficulty to:
- Entry and manipulate cluster configurations
- Extract delicate operational knowledge
- Disrupt essential computing workflows
HPE’s advisory notes that exploitation requires no person interplay or privileges, making it a urgent concern for organizations with uncovered HPCM situations.
| Attribute | Particulars |
| Vulnerability ID | CVE-2025-27086 |
| Affected Product | HPE Efficiency Cluster Supervisor (HPCM) |
| Affected Variations | HPCM 1.12 and earlier |
| Vulnerability Sort | Distant Authentication Bypass |
| CVSS v3.1 Rating | 8.1 (Excessive) |
The vulnerability impacts HPCM 1.12 and all earlier releases. HPE has launched HPCM 1.13 to deal with the flaw and urges clients to improve instantly.
For environments the place updating shouldn’t be instantly possible, the corporate recommends disabling the GUI by:
- Enhancing the configuration file /decide/clmgr/and many others/cmusererver.conf
- Including -Dcmu.rmi=false to the CMU_JAVA_SERVER_ARGS parameter
- Restarting the cmdb.service
This workaround disables the Distant Methodology Invocation (RMI) service, neutralizing the assault vector with out requiring downtime.
HPCM is broadly utilized in analysis, monetary modeling, and AI growth, the place clusters handle petabytes of delicate knowledge.
A profitable breach might result in mental property theft, operational paralysis, or compliance violations.
“Proactive patching is essential,” emphasised an HPE spokesperson. “Organizations should prioritize this replace, particularly these with internet-facing HPCM situations.”
Cybersecurity consultants echo HPE’s urgency:
- Speedy Motion: Confirm your HPCM model and apply v1.13.
- Community Hygiene: Prohibit HPCM GUI entry to trusted inside networks.
- Monitoring: Audit logs for uncommon authentication makes an attempt or configuration modifications.
HPE confirmed no proof of energetic exploitation however warns that public disclosure will increase the probability of assaults.
This incident highlights recurring challenges in securing cluster administration instruments. In 2024, comparable flaws in Kubernetes dashboards and cloud orchestrators led to widespread breaches.
HPE’s determination to not backport fixes to older HPCM variations underscores the significance of sustaining up to date software program ecosystems.
Discover this Information Attention-grabbing! Comply with us on Google Information, LinkedIn, & X to Get On the spot Updates!
