CVE-2025-43904: SchedMD Slurm Privilege Escalation Flaw

CVE-2025-43904 Overview

CVE-2025-43904 is an Improper Authorization vulnerability (CWE-863) in SchedMD Slurm, a widely-used open-source workload manager for high-performance computing (HPC) clusters. The vulnerability exists in the accounting system and allows a user with Coordinator privileges to improperly promote another user to Administrator level, bypassing normal authorization controls.

Critical Impact

This privilege escalation vulnerability in Slurm's accounting system could allow unauthorized administrative access to HPC cluster resources, potentially compromising workload integrity, data confidentiality, and system availability across affected computing environments.

Affected Products

• SchedMD Slurm versions before 24.11.5
• SchedMD Slurm versions before 24.05.8
• SchedMD Slurm versions before 23.11.11

Discovery Timeline

• 2026-01-16 - CVE CVE-2025-43904 published to NVD
• 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-43904

Vulnerability Analysis

This vulnerability represents an Improper Authorization flaw (CWE-863) within Slurm's accounting subsystem. The accounting system in Slurm manages user associations, resource allocations, and administrative privileges across the cluster. Under normal operation, only users with full Administrator privileges should be able to elevate other users to Administrator status.

The flaw allows users holding Coordinator-level privileges to bypass this restriction and promote users to Administrator. Coordinators typically have elevated permissions within their assigned accounts or partitions but should not possess cluster-wide administrative capabilities. This authorization bypass undermines the principle of least privilege and the hierarchical access control model that Slurm implements.

The vulnerability requires network access and authenticated low-privileged access (Coordinator role), making it exploitable by insider threats or compromised Coordinator accounts. While the attack complexity is considered high, successful exploitation results in unauthorized read and write capabilities within the affected scope.

Root Cause

The root cause of CVE-2025-43904 lies in insufficient authorization checks within Slurm's accounting system when processing privilege modification requests. The system fails to properly validate that the requesting user possesses adequate privileges (Administrator level) before allowing user role promotion operations. This allows Coordinator-level users to execute administrative functions that should be restricted to full Administrators only.

Attack Vector

The attack is network-based and requires the attacker to have authenticated access with at least Coordinator privileges within the Slurm cluster. The attacker leverages the accounting system interface to submit a request that promotes a target user (potentially themselves or a collaborator) to Administrator status. Due to the missing authorization checks, this request is processed successfully despite the requester lacking the necessary privileges.

This vulnerability does not require user interaction and operates within an unchanged scope, meaning the impact is contained to the vulnerable Slurm component itself rather than affecting other system components. However, gaining Administrator access to a Slurm cluster could enable further attacks against managed compute nodes and workloads.

The vulnerability is documented in the SchedMD Mailing List Update and is covered under the SchedMD Security Policy.

Detection Methods for CVE-2025-43904

Indicators of Compromise

• Unexpected user promotions to Administrator role in Slurm accounting logs
• Audit trail entries showing Coordinator accounts modifying user privilege levels
• Anomalous sacctmgr commands or API calls from non-Administrator accounts attempting to modify user roles

Detection Strategies

• Monitor Slurm accounting logs for privilege modification events originating from non-Administrator accounts
• Implement alerting on any user role changes to Administrator status
• Audit sacctmgr command history for unauthorized privilege escalation attempts
• Review Slurm database (slurmdbd) logs for suspicious user modification transactions

Monitoring Recommendations

• Enable verbose logging in slurmdbd to capture detailed accounting system operations
• Implement SIEM integration to correlate Slurm accounting events with authentication logs
• Establish baseline behavior for Coordinator accounts and alert on deviations
• Regularly audit the list of Administrator accounts for unauthorized additions

How to Mitigate CVE-2025-43904

Immediate Actions Required

• Upgrade SchedMD Slurm to version 24.11.5, 24.05.8, or 23.11.11 or later depending on your current branch
• Audit all current Administrator accounts to identify any unauthorized promotions
• Review accounting logs for evidence of exploitation prior to patching
• Restrict network access to Slurm control and accounting services to trusted networks only

Patch Information

SchedMD has released patched versions that address this authorization bypass vulnerability. Organizations should upgrade to the following minimum versions:

• 24.11.x branch: Upgrade to 24.11.5 or later
• 24.05.x branch: Upgrade to 24.05.8 or later
• 23.11.x branch: Upgrade to 23.11.11 or later

For detailed patch information and release notes, refer to the SchedMD Mailing List Update and the SchedMD Security Policy.

Workarounds

• Limit network access to slurmctld and slurmdbd services using firewall rules
• Reduce the number of users with Coordinator privileges to minimize attack surface
• Implement additional monitoring and alerting on all accounting system privilege changes
• Consider temporarily disabling remote sacctmgr access until patching is complete

# Example: Restrict access to slurmdbd port via iptables
iptables -A INPUT -p tcp --dport 6819 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6819 -j DROP

# Audit current administrator accounts
sacctmgr show user withassoc format=User,Admin where admin=Administrator