CVE-2025-55232: Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Sep

Released

2025-09-09

Last Updated

2025-09-25

EPSS Score

1.24% (percentile: 79.3%)

Description

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

FAQ

What do customers need to do to mitigate this vulnerability? If you are currently using HPC Pack 2019 Update 2, you need to upgrade to HPC Pack 2019 Update 3 (Build 6.3.8328) and then apply the QFE patch (Build 6.3.8352). If you are currently using HPC Pack 2016, you must migrate to 2019 to receive a fix, as there is no in-place update from 2016 to 2019. How could an attacker exploit the vulnerability? An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.

Affected Products (1)

Azure

• Microsoft HPC Pack 2019

Security Updates (1)

• Release Notes

Acknowledgments

Dennis Carlson with <a href="https://www.abacusgroupllc.com/">Abacus Group LLC</a>

Revision History

• 2025-09-09: Information published.
• 2025-09-25: Added an acknowledgement. This is an informational change only.