CVE-2025-66433 is a security vulnerability classified under CWE-863 (Incorrect Authorization) affecting the HTCondor Access Point software developed by the University of Wisconsin (wisc). HTCondor is a specialized workload management system for compute-intensive jobs, widely used in academic, research, and scientific computing environments. The vulnerability exists in versions starting from 24.7.3 through 25.1.0, where an authenticated user can submit batch jobs that allow them to impersonate other users on the local machine. This impersonation occurs due to improper authorization checks when handling batch job submissions, enabling a user with limited privileges to escalate their access by acting as another user. The flaw does not require user interaction beyond authentication but demands local access with at least low privileges. The CVSS v3.1 score is 4.2 (medium severity), reflecting that the attack vector is local (AV:L), requires high attack complexity (AC:H), low privileges (PR:L), and no user interaction (UI:N). The impact affects confidentiality and integrity to a limited extent but does not compromise availability. The vulnerability has been addressed in HTCondor versions 24.12.14, 25.0.3, and 25.3.1, which include proper authorization enforcement to prevent user impersonation. No public exploits or active exploitation campaigns have been reported to date, but the risk remains for environments running vulnerable versions, especially where multiple users share compute resources.

For European organizations, particularly research institutions, universities, and scientific computing centers that rely on HTCondor for workload management, this vulnerability poses a risk of unauthorized privilege escalation and user impersonation. An attacker with valid credentials on the system could leverage this flaw to execute jobs under the identity of other users, potentially accessing sensitive data or manipulating job results. This undermines confidentiality and integrity of computational tasks and data. While the vulnerability does not affect system availability, the impersonation could facilitate further lateral movement or data exfiltration within shared compute environments. Given the collaborative and multi-user nature of many European research infrastructures, the impact could extend to compromising trust boundaries between users and affecting compliance with data protection regulations such as GDPR if sensitive data is exposed. The medium severity rating indicates a moderate risk that should be addressed promptly to maintain secure multi-user operations.

European organizations using HTCondor should immediately verify their deployed versions and upgrade to at least 24.12.14, 25.0.3, or 25.3.1 where the vulnerability is fixed. If immediate patching is not feasible, restrict access to HTCondor Access Point to trusted users only and enforce strict authentication and authorization policies. Implement monitoring and logging of batch job submissions to detect anomalous impersonation attempts. Consider isolating compute nodes or using containerization to limit the impact of potential impersonation. Regularly audit user permissions and review job submission policies to ensure least privilege principles are enforced. Additionally, coordinate with institutional IT security teams to integrate HTCondor security posture into broader identity and access management frameworks. Finally, stay informed about any emerging exploit reports or updates from the vendor.