CVE-2025-55232
Published: 09 September 2025
Summary
CVE-2025-55232 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Hpc Pack. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-55232 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Microsoft High Performance Compute Pack (HPC). The flaw carries a CVSS 3.1 base score of 9.8 and permits remote code execution when untrusted data is processed without sufficient validation.
An unauthenticated attacker can exploit the issue over a network with low attack complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary code with impacts to confidentiality, integrity, and availability all rated high.
The official advisory published by Microsoft at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55232 provides mitigation guidance and patch information for affected versions of the HPC Pack. The associated EPSS score has remained flat at 0.0645 with no observed increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27340
Vulnerability details
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization RCE directly enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and correction of the specific deserialization flaw through timely patching.
Prevents exploitation of deserialization of untrusted data by implementing input validation mechanisms at network entry points.
Mitigates arbitrary code execution from deserialization by protecting system memory from unauthorized code execution using safeguards like DEP and ASLR.