Authentication bypass vulnerability reported in HPE Performance Cluster Manager (HPCM)
Take action: If you are running HPE Clusters and are using HPE Performance Cluster Manager, time to patch it ASAP. Although the flaw is not scored as critical, an authentication bypass to the Cluster Manager can be a nasty vector of attack. Naturally, make sure it's only accessible from isolated and trusted networks. Then patch.
Learn More
A security vulnerability has been identified in Hewlett Packard Enterprise's Performance Cluster Manager (HPCM) that allows attackers to remotely bypass authentication.
The vulnerability is tracked as CVE-2025-27086 (CVSS score 8.1), and affects the graphical user interface (GUI) component of HPCM where Remote Method Invocation (RMI) is used for communication between the GUI and the underlying server.
By crafting specially designed requests, attackers can circumvent the authentication process, gaining direct access to privileged functions without clearance.
The flaw affects HPE Performance Cluster Manager (HPCM) version 1.12 and earlier
HPE has fixed this vulnerability in HPCM version 1.13. Organizations are strongly encouraged to upgrade to this version as soon as possible.
For organizations unable to implement an immediate upgrade due to operational constraints, HPE has provided a temporary mitigation strategy:
- Modify the configuration file located at
/opt/clmgr/etc/cmuserver.conf - Append the argument
-Dcmu.rmi=falseto theCMU_JAVA_SERVER_ARGSvariable - Restart the
cmdb.service
The configuration change disables the RMI service that facilitates the insecure GUI interactions, effectively blocking the attack vector. It also disables GUI functionality, requiring administrators to use alternative management interfaces until the system can be properly updated.
HPE confirms this mitigation can be safely implemented in production environments without disrupting critical cluster operations.
