"HPE Performance Cluster Manager CVE-2025-27086 (CVSS 8.1): RMI Authentication Bypass"

HPE has disclosed an authentication bypass in HPE Performance Cluster Manager (HPCM), the software used to provision, monitor, and manage large HPC and AI clusters. Tracked as CVE-2025-27086 and rated CVSS 8.1 (High), the flaw lets a remote, unauthenticated attacker skip the login process and reach privileged HPCM functions. If you run HPCM to manage compute clusters, this is a patch-now item. The good news: a complete fix is available, and as of this writing there is no evidence of active exploitation.
What happened
HPCM's graphical interface communicates with the back-end server using Java Remote Method Invocation (RMI). In affected versions, the HPCM GUI improperly handles RMI requests, so a specially crafted request can bypass authentication and invoke privileged server-side functions directly. Because HPCM sits at the control plane of a cluster, the affected functions are not trivial — they touch provisioning, configuration, and management of every managed node.
HPE published this in security bulletin hpesbcr04842en_us, and the issue is classified as CWE-287: Improper Authentication. The vulnerability was reported to NVD by HPE itself.
Affected products and versions
The vulnerability affects HPCM releases up to and including 1.12. HPE addressed it in HPCM 1.13.
| Product | Affected | Fixed |
|---|---|---|
| HPE Performance Cluster Manager (HPCM) | All versions up to and including 1.12 (prior to 1.13) | 1.13 |
HPE has indicated the fix is delivered in version 1.13 rather than as a backported patch for earlier branches, so the remediation path is an upgrade to 1.13, not a point patch on 1.12 or below.
How serious is it
The CVSS v3.1 base score is 8.1 (High), with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Reading that vector:
- Network attack vector (AV:N) — exploitable remotely over the network, not requiring local or adjacent access.
- No privileges required (PR:N) and no user interaction (UI:N) — the attacker does not need credentials or anyone to click anything.
- High impact across confidentiality, integrity, and availability (C:H/I:H/A:H) — a successful bypass can read, alter, and disrupt the managed cluster.
- High attack complexity (AC:H) — this is the one mitigating factor in the score; the attack is not described as trivially repeatable in all conditions, which is part of why the score lands at 8.1 rather than in the critical range.
On exploitation status: CVE-2025-27086 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and the NVD SSVC assessment records exploitation as "none." In other words, there is no public evidence of in-the-wild exploitation at this time. That is a reason to patch calmly and deliberately, not a reason to defer — control-plane auth bypasses are exactly the kind of flaw that attracts attention once details circulate.
Am I exposed?
You are potentially affected if all of the following are true:
- You run HPE Performance Cluster Manager to manage one or more clusters.
- Your HPCM version is 1.12 or earlier.
- The HPCM GUI / RMI service is reachable from any network where an untrusted party could send requests.
To check your version, look at the HPCM admin interface or the installed package on your admin node. The exposure that matters most is network reachability of the RMI listener: HPCM management interfaces should never sit on a general-purpose or internet-facing network. If your HPCM admin/management network is tightly segmented and reachable only by a small set of trusted operators, your practical risk is lower than the raw CVSS implies — but segmentation is a compensating control, not a fix.
How to fix it
Primary remediation — upgrade to HPCM 1.13. Version 1.13 contains the complete fix for CVE-2025-27086. This is the action HPE recommends and the only step that fully resolves the vulnerability.
Interim mitigation (if you cannot upgrade immediately). HPE describes a workaround that disables the RMI service the GUI relies on. On the HPCM admin node:
- Edit
/opt/clmgr/etc/cmuserver.conf. - Append
-Dcmu.rmi=falseto theCMU_JAVA_SERVER_ARGSvariable. - Restart the service:
systemctl restart cmdb.service.
This prevents the RMI service from starting. Important caveat: because the GUI uses RMI to talk to the server, applying this workaround disables GUI functionality. It is a stopgap to close the exposure until you can schedule the upgrade, not a long-term operating mode. Treat it as a bridge to 1.13.
Defense in depth, regardless of patch timing. Confirm the HPCM management network is isolated from user, corporate, and internet-facing networks; restrict access to the RMI/GUI ports to known administrative hosts; and review logs on the HPCM server for unexpected RMI activity. These steps reduce who can even reach the vulnerable interface.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we work with federal, SLED, healthcare, and enterprise teams that run exactly this class of HPC and AI infrastructure. For CVE-2025-27086 we can:
- Assess exposure across your environment — inventory HPCM versions, confirm which clusters are on 1.12 or earlier, and evaluate the network reachability of the RMI/GUI interface so you know your real risk, not just the CVSS number.
- Plan and support the upgrade to HPCM 1.13, including change-window sequencing for production clusters and validation that the interim RMI mitigation can be safely lifted once you cut over.
- Source patched and replacement hardware when a remediation effort surfaces aging nodes or capacity gaps, with compliant procurement paths including TAA-compliant product, GSA, and SEWP vehicles for public-sector buyers.
If you manage HPCM clusters and want help confirming your version, closing the exposure, or scoping the move to 1.13, reach out to the Uniqcli team and we will help you build a remediation and procurement plan that fits your maintenance windows and compliance requirements.
Sources
- HPE Performance Cluster Manager Vulnerability Allow Remote Attacker to Bypass Authentication — CyberSecurityNews
- HPE Performance Cluster Manager Vulnerability Enables Unauthorized Access — GBHackers
- CVE-2025-27086 Detail — NVD (NIST)
- CVE-2025-27086 — Tenable
- HPE Security Bulletin Library
- CISA Known Exploited Vulnerabilities Catalog