Cyber Resilience

CVE-2025-55232

CriticalRCE

Published: 09 September 2025

Published
09 September 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0645 91.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55232 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Hpc Pack. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55232 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Microsoft High Performance Compute Pack (HPC). The flaw carries a CVSS 3.1 base score of 9.8 and permits remote code execution when untrusted data is processed without sufficient validation.

An unauthenticated attacker can exploit the issue over a network with low attack complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary code with impacts to confidentiality, integrity, and availability all rated high.

The official advisory published by Microsoft at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55232 provides mitigation guidance and patch information for affected versions of the HPC Pack. The associated EPSS score has remained flat at 0.0645 with no observed increase since disclosure.

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated deserialization RCE directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32184Same product: Microsoft Hpc Pack
CVE-2025-59287Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft
CVE-2026-41104Same vendor: Microsoft
CVE-2025-59237Same vendor: Microsoft
CVE-2025-54897Same vendor: Microsoft
CVE-2026-20963Same vendor: Microsoft
CVE-2026-35439Same vendor: Microsoft
CVE-2026-40357Same vendor: Microsoft

Affected Assets

microsoft
hpc pack
≤ 6.3.8352

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring identification, reporting, and correction of the specific deserialization flaw through timely patching.

prevent

Prevents exploitation of deserialization of untrusted data by implementing input validation mechanisms at network entry points.

prevent

Mitigates arbitrary code execution from deserialization by protecting system memory from unauthorized code execution using safeguards like DEP and ASLR.

References