CVE-2025-37087 is a critical vulnerability identified in the cmdb service component of Hewlett Packard Enterprise's Performance Cluster Manager (HPCM). This vulnerability allows an unauthenticated attacker to gain unauthorized access to arbitrary files on the server hosting the HPCM software. The vulnerability is classified under CWE-862, which relates to improper authorization, indicating that the cmdb service fails to properly enforce access controls. The CVSS v3.1 base score is 9.8, reflecting the high severity of this flaw. The vector metrics (AV:N/AC:L/PR:N/UI:N) indicate that the attack can be performed remotely over the network without any privileges or user interaction, making exploitation straightforward. The impact metrics (C:H/I:H/A:H) show that confidentiality, integrity, and availability of the affected system can be fully compromised. Since HPCM is used to manage and monitor high-performance computing clusters, unauthorized file access could lead to exposure of sensitive configuration files, credentials, or other critical data, potentially enabling further attacks such as privilege escalation or lateral movement within an organization’s infrastructure. Although no known exploits have been reported in the wild yet, the critical nature and ease of exploitation make this a significant threat. No patches or mitigations have been published at the time of disclosure, increasing the urgency for affected organizations to implement compensating controls.

For European organizations, the impact of this vulnerability can be severe, especially for those relying on HPE Performance Cluster Manager to oversee HPC environments used in research, finance, manufacturing, or government sectors. Unauthorized file access could expose sensitive intellectual property, personal data protected under GDPR, or critical operational configurations. This exposure risks data breaches, regulatory penalties, and disruption of critical services. The ability to compromise confidentiality, integrity, and availability means attackers could manipulate cluster operations, degrade performance, or cause denial of service. Given the critical role HPC clusters play in scientific research and industrial processes, exploitation could lead to significant operational downtime and financial loss. Furthermore, the lack of authentication requirement and remote exploitability increases the attack surface, making European entities attractive targets for cybercriminals or state-sponsored actors aiming to disrupt or steal sensitive data from high-value infrastructure.

In the absence of an official patch, European organizations should immediately implement network-level restrictions to limit access to the cmdb service. This includes isolating HPCM management interfaces behind firewalls, VPNs, or zero-trust network access solutions to ensure only authorized personnel and systems can communicate with the service. Monitoring and logging all access attempts to the cmdb service should be enhanced to detect suspicious activity early. Organizations should conduct thorough audits of file permissions and configurations on HPCM servers to minimize exposure of sensitive files. Employing host-based intrusion detection systems (HIDS) can help identify anomalous file access patterns. Additionally, organizations should prepare incident response plans specific to HPCM compromise scenarios. Engaging with HPE support channels for early access to patches or workarounds is critical. Finally, organizations should review and tighten overall cluster security posture, including segmentation of HPC environments from general enterprise networks to reduce lateral movement risk.