Vulnerability
sysops

A critical vulnerability in Hewlett Packard Enterprise‘s Performance Cluster Manager has been identified, enabling attackers to remotely bypass authentication safeguards. 

The flaw, formally documented as CVE-2025-27086 with a high severity CVSS 3.1 score of 8.1, affects all HPCM versions up to and including 1.12.

HPE Performance Cluster Manager Vulnerability

Security researchers discovered the vulnerability in the HPCM graphical user interface (GUI), where Remote Method Invocation (RMI) is used for communication between the GUI and the underlying server. 

In affected versions, the improper handling of RMI requests creates an exploitable security gap.

“By crafting a specially designed request, attackers can skip the authentication process, directly accessing privileged functions without proper clearance,” states the HPE security bulletin. 

This authentication bypass threatens the integrity, confidentiality, and availability of high-performance computing clusters managed by HPCM.

The vulnerability is particularly concerning for organizations running critical infrastructure on HPE cluster systems, as it potentially allows unauthorized access to sensitive computing resources.

HPCM is widely deployed in enterprise environments for managing Linux-based high-performance computing clusters that can scale to 100,000 nodes.

Risk FactorsDetailsAffected ProductsHPE Performance Cluster Manager (HPCM) 1.12 and earlierImpactRemote Authentication BypassExploit PrerequisitesAttacker can access the HPCM GUI remotely; no authentication or user interaction required; high attack complexityCVSS 3.1 Score8.1 (High)

Mitigation

HPE has addressed the vulnerability in HPCM version 1.13, which contains a complete fix for the issue. 

However, recognizing that immediate upgrades may not be feasible for all organizations due to operational constraints, the company has provided a temporary mitigation strategy.

System administrators who cannot immediately upgrade are advised to disable the RMI service that facilitates the insecure GUI interactions. 

This can be accomplished by modifying the configuration file located at /opt/clmgr/etc/cmuserver.conf by appending the argument -Dcmu.rmi=false to the CMU_JAVA_SERVER_ARGS variable and restarting the cmdb.service. 

HPE confirms this configuration change can be safely implemented in production environments.

“This will prevent the RMI service from starting, which the GUI uses to communicate with the server,” explains the bulletin. 

While this mitigation effectively blocks the attack vector, it also disables GUI functionality, requiring administrators to use alternative management interfaces.

The severity of this vulnerability highlights ongoing security challenges in cluster management software. 

Similar remote authentication bypass flaws have previously been identified in other enterprise management platforms, including a 2021 vulnerability in HP Cloud Service Automation that allowed remote authentication bypass when using Node.js in FIPS mode.

Cybersecurity experts recommend organizations perform comprehensive security reviews of their cluster management configurations in response to this disclosure. 

Regular software updates, prompt application of security patches, and implementation of network segmentation can significantly reduce exposure to such vulnerabilities.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

Related Posts

Progress-owned Telerik Report Server addressed two vulnerabilities in its system, which were associated with Authentication bypass and Insecure Deserialization. To…

Details have emerged about a now-patched security flaw in Styra’s Open Policy Agent (OPA) that, if successfully exploited, could have…

A critical vulnerability has been identified in the OneDev DevOps platform, posing significant security risks to organizations relying on this…