Cyber Posture

CVE-2025-21198

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21198 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Hpc Pack 2016. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific RCE vulnerability in Microsoft HPC Pack by identifying, reporting, and applying vendor patches from the MSRC advisory.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Addresses CWE-306 missing authentication for critical function by restricting and documenting permitted actions without identification or authentication in HPC Pack.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to critical functions, preventing low-privileged adjacent network attackers from achieving RCE.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Missing authentication enables remote exploitation of the HPC service for code execution (T1210) with scope-changing privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21198 is a remote code execution vulnerability affecting Microsoft High Performance Compute (HPC) Pack. Published on 2025-02-11, it carries a CVSS v3.1 base score of 9.0, reflecting its critical severity with vector AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue is linked to CWE-306 (Missing Authentication for Critical Function) and lacks additional CWE details from NVD.

Exploitation requires an attacker to have low privileges (PR:L) on an adjacent network (AV:A) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows scope change (S:C), granting high-impact remote code execution with full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H).

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21198 provides details on patches and mitigation guidance.

Details

CWE(s)
CWE-306NVD-CWE-noinfo

Affected Products

microsoft
hpc pack 2016
≤ 2016.3
microsoft
hpc pack 2019
≤ 6.3.8328.0

CVEs Like This One

CVE-2026-26159Same vendor: Microsoft
CVE-2026-20803Same vendor: Microsoft
CVE-2026-26160Same vendor: Microsoft
CVE-2025-59246Same vendor: Microsoft
CVE-2026-26125Same vendor: Microsoft
CVE-2026-23669Same vendor: Microsoft
CVE-2026-21262Same vendor: Microsoft
CVE-2025-62550Same vendor: Microsoft
CVE-2025-62456Same vendor: Microsoft
CVE-2025-21355Same vendor: Microsoft

References