CVE/vulnerability

HPE Performance Cluster Manager Vulnerability Enables Unauthorized Access

Hewlett Packard Enterprise (HPE) has disclosed a severe security flaw in its Performance Cluster Manager (HPCM) software that could allow attackers to bypass authentication and gain unauthorized remote access to sensitive systems.

The vulnerability, tracked as CVE-2025-27086, affects HPCM versions 1.12 and earlier, posing significant risks to enterprises relying on the tool for high-performance computing (HPC) cluster management.

Vulnerability Details and Risks

The flaw resides in the HPCM graphical user interface (GUI), enabling malicious actors to exploit weak authentication mechanisms remotely. With a CVSS v3.1 score of 8.1 (High severity), attackers could leverage this issue to:

  • Access and manipulate cluster configurations
  • Extract sensitive operational data
  • Disrupt critical computing workflows

HPE’s advisory notes that exploitation requires no user interaction or privileges, making it a pressing concern for organizations with exposed HPCM instances.

AttributeDetails
Vulnerability IDCVE-2025-27086
Affected ProductHPE Performance Cluster Manager (HPCM)
Affected VersionsHPCM 1.12 and earlier
Vulnerability TypeRemote Authentication Bypass
CVSS v3.1 Score8.1 (High)

The vulnerability impacts HPCM 1.12 and all earlier releases. HPE has released HPCM 1.13 to address the flaw and urges customers to upgrade immediately.

For environments where updating is not immediately feasible, the company recommends disabling the GUI by:

  1. Editing the configuration file /opt/clmgr/etc/cmusererver.conf
  2. Adding -Dcmu.rmi=false to the CMU_JAVA_SERVER_ARGS parameter
  3. Restarting the cmdb.service

This workaround disables the Remote Method Invocation (RMI) service, neutralizing the attack vector without requiring downtime.

HPCM is widely used in research, financial modeling, and AI development, where clusters manage petabytes of sensitive data.

A successful breach could lead to intellectual property theft, operational paralysis, or compliance violations.

“Proactive patching is critical,” emphasized an HPE spokesperson. “Organizations must prioritize this update, especially those with internet-facing HPCM instances.”

Cybersecurity experts echo HPE’s urgency:

  • Immediate Action: Verify your HPCM version and apply v1.13.
  • Network Hygiene: Restrict HPCM GUI access to trusted internal networks.
  • Monitoring: Audit logs for unusual authentication attempts or configuration changes.

HPE confirmed no evidence of active exploitation but warns that public disclosure increases the likelihood of attacks.

This incident highlights recurring challenges in securing cluster management tools. In 2024, similar flaws in Kubernetes dashboards and cloud orchestrators led to widespread breaches.

HPE’s decision not to backport fixes to older HPCM versions underscores the importance of maintaining updated software ecosystems.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

3 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 days ago