Siemens Altair Grid Engine

Plan Patch7.8ICS-CERT ICSA-25-317-16Nov 11, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Altair Grid Engine versions prior to 2026.0.0 contain multiple privilege escalation vulnerabilities in setuid-root binaries. CVE-2025-40760 affects the authuser binary used by the UGERest API/daemon, and CVE-2025-40763 affects the sgepasswd binary on non-Windows clusters. These vulnerabilities allow users with local accounts to escalate to superuser privileges and execute arbitrary code, potentially compromising grid engine cluster operations and any dependent energy management or industrial control processes.

What this means

What could happen

An attacker with local access to a system running Altair Grid Engine could escalate privileges to superuser and execute arbitrary commands, allowing them to compromise cluster operations and potentially impact energy grid management or monitoring systems.

Who's at risk

Energy utilities and other organizations using Siemens Altair Grid Engine for compute cluster management and grid operations. This affects systems running versions below 2026.0.0 that have local user access enabled, particularly those managing industrial energy infrastructure, grid analysis, or power system simulations.

How it could be exploited

An attacker with a regular user account on the system could exploit privilege escalation vulnerabilities in setuid-root binaries (authuser for CVE-2025-40760, sgepasswd for CVE-2025-40763) to gain superuser permissions and run commands that affect job scheduling, compute cluster management, or grid engine services.

Prerequisites

Local user account on a system running Altair Grid Engine
UGERest API/daemon enabled (for CVE-2025-40760)
Non-Windows cluster (for CVE-2025-40763)

Local privilege escalationAffects setuid-root binariesDefault installation configuration vulnerableCould impact critical grid operations

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Altair Grid Engine< 2026.0.02026.0.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDFor clusters not using UGERest API/daemon, remove setuid-root bit from authuser binary: chmod u-s $SGE_ROOT/utilbin//authuser

WORKAROUNDOn non-Windows clusters, remove setuid-root bit from sgepasswd binary: chmod u-s $SGE_ROOT/bin//sgepasswd

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Altair Grid Engine to version 2026.0.0 or later

Long-term hardening

0/2

HARDENINGImplement network access controls and firewall rules to limit access to Altair Grid Engine systems to authorized personnel only

HARDENINGIsolate grid engine clusters and energy control networks from business networks and internet access

CVEs (2)

CVE-2025-40760 CVE-2025-40763

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2dd73aa-3be7-45ad-ba6f-70c4f263f30b