Thursday, May 8, 2025
HomeCVE/vulnerabilityHPE Performance Cluster Manager Vulnerability Enables Unauthorized Access

HPE Performance Cluster Manager Vulnerability Enables Unauthorized Access

Published on

SIEM as a Service

Follow Us on Google News

Hewlett Packard Enterprise (HPE) has disclosed a severe security flaw in its Performance Cluster Manager (HPCM) software that could allow attackers to bypass authentication and gain unauthorized remote access to sensitive systems.

The vulnerability, tracked as CVE-2025-27086, affects HPCM versions 1.12 and earlier, posing significant risks to enterprises relying on the tool for high-performance computing (HPC) cluster management.

Vulnerability Details and Risks

The flaw resides in the HPCM graphical user interface (GUI), enabling malicious actors to exploit weak authentication mechanisms remotely. With a CVSS v3.1 score of 8.1 (High severity), attackers could leverage this issue to:

- Advertisement - Google News
  • Access and manipulate cluster configurations
  • Extract sensitive operational data
  • Disrupt critical computing workflows

HPE’s advisory notes that exploitation requires no user interaction or privileges, making it a pressing concern for organizations with exposed HPCM instances.

AttributeDetails
Vulnerability IDCVE-2025-27086
Affected ProductHPE Performance Cluster Manager (HPCM)
Affected VersionsHPCM 1.12 and earlier
Vulnerability TypeRemote Authentication Bypass
CVSS v3.1 Score8.1 (High)

The vulnerability impacts HPCM 1.12 and all earlier releases. HPE has released HPCM 1.13 to address the flaw and urges customers to upgrade immediately.

For environments where updating is not immediately feasible, the company recommends disabling the GUI by:

  1. Editing the configuration file /opt/clmgr/etc/cmusererver.conf
  2. Adding -Dcmu.rmi=false to the CMU_JAVA_SERVER_ARGS parameter
  3. Restarting the cmdb.service

This workaround disables the Remote Method Invocation (RMI) service, neutralizing the attack vector without requiring downtime.

HPCM is widely used in research, financial modeling, and AI development, where clusters manage petabytes of sensitive data.

A successful breach could lead to intellectual property theft, operational paralysis, or compliance violations.

“Proactive patching is critical,” emphasized an HPE spokesperson. “Organizations must prioritize this update, especially those with internet-facing HPCM instances.”

Cybersecurity experts echo HPE’s urgency:

  • Immediate Action: Verify your HPCM version and apply v1.13.
  • Network Hygiene: Restrict HPCM GUI access to trusted internal networks.
  • Monitoring: Audit logs for unusual authentication attempts or configuration changes.

HPE confirmed no evidence of active exploitation but warns that public disclosure increases the likelihood of attacks.

This incident highlights recurring challenges in securing cluster management tools. In 2024, similar flaws in Kubernetes dashboards and cloud orchestrators led to widespread breaches.

HPE’s decision not to backport fixes to older HPCM versions underscores the importance of maintaining updated software ecosystems.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

organizations and security professionals need powerful tools to track, analyze, and understand both the...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

organizations and security professionals need powerful tools to track, analyze, and understand both the...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...