CVE-2025-58435 is a medium-severity vulnerability affecting Open OnDemand (OOD), an open-source high-performance computing (HPC) portal widely used to provide web-based access to HPC resources. The vulnerability arises from improper password rotation in the noVNC interactive applications component when used with TurboVNC versions higher than 3.1.2. Specifically, prior to OOD versions 3.1.15 and 4.0.7, the system failed to correctly rotate session passwords, which are critical for securing remote desktop sessions. This flaw is categorized under CWE-262, indicating a failure to implement password aging or rotation mechanisms. Exploitation requires that an attacker obtain the link to an active desktop session and be authenticated to the OOD portal. If these conditions are met, the attacker can reuse the session password to impersonate the original user, gaining full access to their desktop session and any data or actions therein. The vulnerability does not require local system access but does require portal authentication and user interaction (sharing of session links). The issue has been addressed in OOD versions 3.1.15 and 4.0.7 by implementing proper password rotation for all TurboVNC versions. As a temporary mitigation, downgrading TurboVNC to versions below 3.1.2 can prevent exploitation. The CVSS 4.0 score is 4.1 (medium), reflecting the need for authentication and user interaction, but also the high impact on confidentiality and integrity if exploited.

For European organizations utilizing Open OnDemand for HPC access, this vulnerability poses a risk of unauthorized session hijacking and data exposure. HPC environments often handle sensitive research data, intellectual property, or critical infrastructure simulations. An attacker who gains access to an active desktop session could manipulate computations, exfiltrate data, or disrupt workflows, potentially causing operational and reputational damage. The requirement for portal authentication and link sharing reduces the likelihood of widespread exploitation but insider threats or compromised credentials could facilitate attacks. Additionally, organizations with collaborative HPC projects may inadvertently share session links, increasing risk. The impact on confidentiality and integrity is high, as attackers can perform any action as the original user. Availability impact is minimal as the vulnerability does not directly cause denial of service. Overall, the threat is significant for European research institutions, universities, and enterprises relying on HPC portals for sensitive workloads.

1. Upgrade Open OnDemand installations to versions 3.1.15 or 4.0.7 (or later) immediately to ensure proper password rotation is enforced regardless of TurboVNC version. 2. If upgrading OOD is not immediately feasible, downgrade TurboVNC to versions below 3.1.2 as a temporary workaround to prevent password reuse. 3. Enforce strict access controls and monitoring on the OOD portal to detect unusual session sharing or multiple logins from the same session link. 4. Educate users on the risks of sharing active session links and implement policies to minimize link sharing. 5. Implement multi-factor authentication (MFA) on the OOD portal to reduce the risk of unauthorized authentication. 6. Regularly audit session logs and monitor for anomalous activities indicative of session hijacking. 7. Consider network segmentation and VPN usage to restrict access to the OOD portal to trusted networks and users. 8. Coordinate with HPC administrators to review and harden the overall security posture of the HPC environment, including VNC session management and password policies.