Urgent Patch Required: HPE AutoPass License Server Hits Maximum Severity Risk
Do Son 
Hewlett Packard Enterprise (HPE) has issued an urgent security bulletin regarding a critical vulnerability in its AutoPass License Server (APLS). The flaw, tracked as CVE-2026-23600, has been assigned a maximum CVSSv4 score of 10.0, indicating the highest possible level of severity.
HPE AutoPass License Server is a widely used web-based solution for managing floating licenses across a broad spectrum of HPE Enterprise Solution Software products.
The core of the issue is an authentication bypass vulnerability. In cybersecurity, this is equivalent to an attacker finding a way to walk through a high-security vault door without needing a key, code, or biometric scan.
- Remote Exploitation: Attackers do not need physical access to the server; the vulnerability can be exploited over the network.
- Zero Privileges Required: An unauthenticated user can bypass security checks to gain unauthorized access to the license management system.
- Massive Scope: Because APLS manages floating licenses for numerous enterprise-grade software products, a compromise here could disrupt software availability and organizational operations at scale.
The vulnerability affects all versions of HPE AutoPass License Server prior to 9.19. It was discovered and responsibly reported by an anonymous researcher working with the TrendAI Zero Day Initiative (ZDI), a group known for identifying high-impact vulnerabilities before they can be weaponized by malicious actors.
HPE has moved quickly to release a resolution, urging all administrators to update their installations immediately.
| Affected Software | Vulnerable Versions | Remediation |
| HPE AutoPass License Server (APLS) | Prior to 9.19 | Upgrade to version 9.19 or later |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
