HPE Performance Cluster Manager Vulnerability Enables Remote Authentication Bypass

A critical security vulnerability (CVE-2025-27086) has been identified in Hewlett-Packard Enterprise (HPE) Performance Cluster Manager (HPCM) versions 1.12 and earlier.

This flaw resides in the HPCM graphical user interface (GUI) and allows remote attackers to bypass authentication, potentially gaining unauthorized access to sensitive systems and data.

Technical Details

• Vulnerability Type: Remote Authentication Bypass
• Attack Vector: Network (remote exploitation possible)
• Affected Versions: HPE Performance Cluster Manager (HPCM) 1.12 and earlier
• Severity: High (CVSS v3.1 Base Score: 8.1)
• Exploit Prerequisites: No authentication or user interaction required
• Potential Impact:
  • Unauthorized remote access to cluster management systems
  • Ability to manipulate cluster configurations
  • Extraction of sensitive operational data
  • Disruption of critical computing workflows

Mitigation and Remediation

• Patched Version: HPE has released HPCM version 1.13, which fully addresses this vulnerability. All users are strongly urged to upgrade to HPCM 1.13 immediately.
• No Backport Fixes: HPE will not release patches for versions before 1.13. Continued use of older versions leaves systems exposed.
• Workaround for Unpatched Systems:
  • Disable the HPCM GUI by editing /opt/clmgr/etc/cmuserver.conf
  • Add -Dcmu.rmi=false to the CMU_JAVA_SERVER_ARGS parameter
  • Restart the cmdb.service
  • This disables the Remote Method Invocation (RMI) service, which the GUI uses, effectively neutralizing the attack vector without requiring downtime.
• Additional Recommendations:
  • Restrict GUI access to trusted internal networks only
  • Monitor system logs for unusual authentication attempts or configuration changes
  • Review and update system management and security procedures regularly

Risk and Exposure

HPCM is widely used in high-performance computing environments, including research, finance, and AI.

A successful attack could result in intellectual property theft, operational outages, or regulatory compliance issues.

While there is no evidence of active exploitation, public disclosure increases the risk of attacks targeting unpatched systems.

Reporting and Support

• For implementation support, contact HPE Services via standard support channels.
• To report a security issue, email [email protected] or use the HPE web form.
• Security bulletins and updates are available on the HPE support site.

All organizations running HPE Performance Cluster Manager 1.12 or earlier must take immediate action.

Upgrade to version 1.13 or apply the recommended workaround to mitigate the risk of remote authentication bypass and potential compromise of critical computing infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates