CVE-2025-55232
published 2025-09-09CVE-2025-55232: Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.92%
77.4th percentile
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | hpc_pack | < 6.3.8352 | 6.3.8352 |
| microsoft | microsoft_hpc_pack_2019 | >= 1.0.0 < 6.3.8352 Quick Fix QFE | 6.3.8352 Quick Fix QFE |
| msrc | microsoft_hpc_pack_2019 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unsolicited inbound connections on TCP port 5999 to HPC Pack nodes, which is the attack surface for this deserialization RCE vulnerability. ↗
- →Detect exploitation attempts as network-based deserialization of untrusted data reaching HPC Pack services — no user interaction is required, making any unexpected remote session on TCP/5999 from untrusted hosts suspicious. ↗
- ·Vulnerable versions: HPC Pack 2019 Update 2 and HPC Pack 2016. Fixed in HPC Pack 2019 Update 3 (Build 6.3.8328) + QFE patch (Build 6.3.8352). HPC Pack 2016 has no in-place fix and requires migration to 2019. ↗
- ·The vulnerability is triggered over the network without authentication or user interaction, meaning any HPC Pack node with TCP/5999 exposed beyond a trusted network perimeter is at immediate risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
vendor_msrc·2025-09-09·CVSS 9.8
CVE-2025-55232 [CRITICAL] CWE-502 Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
FAQ: What do customers need to do to mitigate this vulnerability?
If you are currently using HPC Pack 2019 Update 2, you need to upgrade to HPC Pack 2019 Update 3 (Build 6.3.8328) and then apply the QFE patch (Build 6.3.8352).
If you are currently using HPC Pack 2016, you must migrate to 2019 to receive a fix, as there is no in-place update from 2016 to 2019.
FAQ: How could an attacker exploit the vulnerability?
An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.
Microsoft High Perf
GHSA
GHSA-w36g-ppvw-ghp6: Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network
ghsa_unreviewed·2025-09-09
CVE-2025-55232 [CRITICAL] CWE-502 GHSA-w36g-ppvw-ghp6: Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
blogs_bleepingcomputer·2025-09-09·CVSS 8.8
[HIGH] Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Lawrence Abrams
41 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
22 Remote Code Execution Vulnerabilities
16 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
1 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday.
Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updat
Qualys
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review
blogs_qualys·2025-09-09
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for September 2025
Adobe Patches for September 2025
Zero-day Vulnerabilities Patched in September Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
Automating Risk Elimination and Accelerating Response: Meet Agent Sara
EVALUATE Vendor-Suggested Mitigation withPolicy Audit
Qualys Monthly Webinar Series
It’s the second Tuesday of September, and Microsoft has rolled out its latest security updates. Microsoft’s September 2025 Patch Tuesday has arrived, bringing a fresh wave of security fixes
Qualys
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review | Qualys
blogs_qualys·2025-09-09
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for September 2025
- Adobe Patches for September 2025
- Zero-day Vulnerabilities Patched in September Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- Automating Risk Elimination and Accelerating Response: Meet Agent Sara
- EVALUATE Vendor-Suggested Mitigation withPolicy Audit
- Qualys Monthly Webinar Series
It’s the second Tuesday of September, and Microsoft has rolled out its latest security updates. Microsoft’s September 2025 Patch Tuesday has arrived, bringing a fresh wave of s
2025-09-09
Published