CVE-2025-66433 is an authorization vulnerability classified under CWE-863 found in the HTCondor Access Point software developed by the University of Wisconsin (wisc). HTCondor is a workload management system commonly used in high-performance computing (HPC) environments to manage and schedule batch jobs. The flaw exists in versions starting from 24.7.3 up to 25.1.0, where an authenticated user with low privileges can submit a batch job that impersonates other local users on the same machine. This impersonation occurs due to insufficient authorization checks in the Access Point component, allowing the attacker to execute actions or access resources as another user. The vulnerability requires local access and authentication but has a high attack complexity, meaning exploitation is not trivial but feasible for authorized users. The CVSS v3.1 base score is 4.2 (medium), reflecting limited impact on confidentiality and integrity, no impact on availability, and the requirement for local privileges and high complexity. The vulnerability has been addressed in patched versions 24.12.14, 25.0.3, and 25.3.1. No public exploits or active exploitation campaigns have been reported to date. This vulnerability could be leveraged for lateral movement or privilege escalation within HPC clusters or research environments using HTCondor, potentially exposing sensitive computational workloads or data.

For European organizations, especially research institutions, universities, and HPC centers that rely on HTCondor for workload management, this vulnerability poses a risk of unauthorized user impersonation on local systems. Such impersonation can lead to unauthorized access to sensitive computational jobs, data leakage, or manipulation of job execution results, impacting confidentiality and integrity. Although the vulnerability does not directly affect availability, the ability to impersonate users could facilitate further attacks such as privilege escalation or lateral movement within the network. Given the critical role of HPC environments in scientific research, engineering, and data analysis across Europe, exploitation could disrupt research integrity and data confidentiality. Organizations with multi-user shared compute environments are particularly at risk. However, the requirement for authenticated local access and high attack complexity somewhat limits the threat scope to insiders or compromised accounts.

European organizations should immediately verify their HTCondor Access Point versions and upgrade to patched releases 24.12.14, 25.0.3, or 25.3.1 as applicable. Restrict access to HTCondor Access Point interfaces to trusted users only and enforce strong authentication and authorization policies. Implement strict user account management and monitoring to detect anomalous batch job submissions or impersonation attempts. Employ network segmentation to isolate HPC clusters and limit lateral movement opportunities. Regularly audit and review job submission logs for suspicious activity. Consider deploying host-based intrusion detection systems (HIDS) to detect unauthorized privilege escalations. Additionally, educate users about the risk of submitting jobs with elevated privileges and enforce the principle of least privilege for all user accounts. Finally, maintain an up-to-date inventory of HTCondor deployments and apply security patches promptly.