CVE-2025-58435 is a medium severity vulnerability affecting Open OnDemand (OSC ondemand), an open-source portal widely used for high-performance computing (HPC) environments. The vulnerability arises from improper password rotation in noVNC interactive applications when used with TurboVNC versions higher than 3.1.2. Specifically, prior to Open OnDemand versions 3.1.15 and 4.0.7, the system failed to rotate passwords correctly, allowing a user who obtains a link to an active desktop session to reuse the session credentials without password expiration. This flaw is classified under CWE-262, which relates to the failure to implement password aging or rotation mechanisms. Exploitation requires that an attacker first obtain the session link and be authenticated to the portal, which lowers the likelihood of exploitation. However, if exploited, the attacker can fully impersonate the original user, gaining access to their data and any actions permitted by their session. The vulnerability does not affect Open OnDemand versions 3.1.15 and later or 4.0.7 and later, where proper password rotation has been implemented regardless of TurboVNC version. As a temporary workaround, downgrading TurboVNC to versions below 3.1.2 mitigates the issue. The CVSS 4.0 base score is 4.1, reflecting a medium severity due to network attack vector, low attack complexity, partial authentication required, and user interaction needed, with high impact on confidentiality and integrity but no impact on availability.

For European organizations utilizing Open OnDemand in HPC environments, this vulnerability poses a risk of unauthorized session hijacking if an attacker can obtain active session links and authenticate to the portal. The impact includes potential data exposure, unauthorized data manipulation, and misuse of HPC resources under the compromised user’s identity. Given the collaborative nature of HPC portals, where multiple users may share access or links, the risk of accidental or malicious link sharing increases. This could lead to insider threats or lateral movement within HPC infrastructures. The vulnerability does not directly allow unauthenticated remote exploitation, limiting its impact to users with some level of portal access. However, the confidentiality and integrity of sensitive computational data and research could be compromised, which is critical for academic, governmental, and industrial HPC users in Europe. The medium severity rating suggests that while the threat is not critical, it requires timely patching to prevent potential exploitation, especially in environments with high-value data or strict compliance requirements.

European organizations should prioritize upgrading Open OnDemand to versions 3.1.15 or 4.0.7 and later to ensure proper password rotation is enforced. Until upgrades can be applied, organizations should consider downgrading TurboVNC to versions below 3.1.2 as a temporary mitigation. Additionally, organizations should enforce strict access controls and monitoring on session link sharing, including educating users about the risks of sharing active session URLs. Implementing multi-factor authentication (MFA) on the portal can reduce the risk of unauthorized access even if links are leaked. Logging and alerting on unusual session activities or multiple concurrent sessions from different IP addresses can help detect potential misuse. Regular audits of user sessions and periodic password resets for portal accounts can further reduce risk. Network segmentation of HPC portals and limiting portal access to trusted networks or VPNs can also reduce exposure. Finally, organizations should review and update their incident response plans to include scenarios involving session hijacking in HPC environments.