CVE-2025-21198: 
vulnerability analysis and mitigation

Microsoft High Performance Compute (HPC) Pack has been identified with a Remote Code Execution Vulnerability, tracked as CVE-2025-21198. The vulnerability affects HPC Pack 2019 versions prior to 6.3.8328.0 and HPC Pack 2016 versions prior to 2016.3. This security issue was initially disclosed on February 11, 2025, and received updates from NIST on February 28, 2025 (NVD).

The vulnerability has received a Critical CVSS v3.1 base score of 9.0, with the following vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability specifically impacts the Linux agent in High Performance Compute clusters and requires attacker access to the network used to connect the cluster to perform remote attacks. The weakness has been categorized under CWE-306 (Missing Authentication for Critical Function) (NVD, Fortra).

The vulnerability presents significant security implications with high impacts on confidentiality, integrity, and availability as indicated by the CVSS scoring. The networking requirement for exploitation serves as a limiting factor to what would otherwise be an even more severe vulnerability (Fortra).

Microsoft has released patches to address this vulnerability. Systems running HPC Pack 2019 should upgrade to version 6.3.8328.0 or later, while HPC Pack 2016 users should upgrade to version 2016.3 or later (NVD).