Siemens Altair Grid Engine

Plan PatchCVSS 7.8ICS-CERT ICSA-25-317-16Nov 11, 2025

SiemensEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Altair Grid Engine versions prior to 2026.0.0 contain privilege escalation vulnerabilities (CVE-2025-40760 in UGERest API daemon and CVE-2025-40763 in sgepasswd binary) that run with setuid-root permissions. An attacker with local access to a cluster node can exploit these to execute code as root. These vulnerabilities are not remotely exploitable and require prior local system compromise.

What this means

What could happen

An attacker with local system access to an Altair Grid Engine cluster node could escalate privileges to root and execute arbitrary commands on the system, potentially disrupting grid scheduling operations and compromising cluster integrity.

Who's at risk

Organizations operating Altair Grid Engine for high-performance computing workloads in research, engineering, or large-scale simulation environments should prioritize patching. Grid Engine is used by universities, national labs, and energy sector organizations to manage compute clusters; compromise could disrupt critical simulations or batch processing workflows.

How it could be exploited

An attacker must first gain local access to a Grid Engine node (e.g., via compromised user account or SSH). They then exploit improper privilege escalation in the UGERest API daemon (CVE-2025-40760) or the sgepasswd binary (CVE-2025-40763), which run with setuid-root permissions, to execute code as root and take control of the node.

Prerequisites

Local shell access to a Grid Engine compute or submit node
User account with permission to execute setuid binaries
UGERest API/daemon enabled on the cluster (CVE-2025-40760)
Non-Windows cluster environment (CVE-2025-40763)

Local privilege escalation vulnerabilityLow attack complexityNo authentication required (post-compromise)Affects cluster control and scheduling infrastructureDefault setuid permissions enable exploitation

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Altair Grid Engine< 2026.0.02026.0.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDFor CVE-2025-40760: If UGERest API/daemon is not in use, remove setuid-root bit from authuser binary on all architectures: chmod u-s $SGE_ROOT/utilbin/*/authuser

WORKAROUNDFor CVE-2025-40763: On non-Windows clusters, remove setuid-root bit from sgepasswd binary on all architectures: chmod u-s $SGE_ROOT/bin/*/sgepasswd

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Altair Grid Engine to version 2026.0.0 or later

HARDENINGRestrict network access to Grid Engine nodes and daemons to trusted compute and management networks only

Long-term hardening

0/1

HARDENINGIsolate Grid Engine cluster networks from corporate business networks with firewalls and network segmentation

CVEs (2)

CVE-2025-40760 CVE-2025-40763

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2dd73aa-3be7-45ad-ba6f-70c4f263f30b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.