HPE AutoPass License Server allows authentication bypass

IT security researchers from Trend Micro's Zero-Day Initiative (ZDI) have discovered a critical vulnerability in the HPE AutoPass License Server (APLS) that allows attackers to bypass authentication. Updated software is intended to fix this.

Hewlett Packard Enterprise warns in a support post about the vulnerability. Details are not provided, but HPE states: "A potential vulnerability has been identified in HPE AutoPass License Server (APLS). This vulnerability could be remotely exploited to allow authentication bypass" (CVE-2026-23600, CVSS [v3.1] 7.3, risk "high"). According to the CVE entry, the CVSS4 rating is 10.0, classifying the risk as "critical".

HPE APLS Vulnerability: Affected Systems

Among the affected systems, the authors specifically mention the HPE StoreOnce Virtual Storage Appliance (VSA). HPE StoreOnce is a cloud backup system. The virtual appliance runs within a virtual machine. The HPE AutoPass License Server is used for managing and distributing software licenses. HPE is tight-lipped about what attackers can do with unauthorized access – however, given the severity of the vulnerability, it is likely that they can compromise the system and not just manipulate license distribution itself.

According to the authors of the support post, the vulnerability is fixed in HPE AutoPass License Server (APLS) version 9.19 or newer. This is available on a dedicated download page. IT administrators should install the latest version promptly.

About a month ago, vulnerabilities in the HPE Aruba Fabric Composer network management software became known. Attackers were able to push malicious code onto vulnerable instances, thereby compromising them.

(dmk)