HPE Patches Critical Authentication Bypass Flaw in AutoPass License Server
Hewlett Packard Enterprise (HPE) has addressed a severe remote authentication-bypass vulnerability in its AutoPass License Server (APLS), tracked as CVE-2026-23600, which could allow unauthenticated attackers to bypass login controls over the network.
The flaw, disclosed in HPE Security Bulletin HPESBGN05003 rev.1 (published February 27, 2026, with a final update on February 28, 2026), affects APLS versions prior to 9.19. HPE rates the vulnerability as 7.3 (High) on the CVSS v3.1 scale, citing network-based exploitation with low attack complexity, no required privileges, and no user interaction. Successful exploitation could grant attackers access to protected functionality without valid credentials.
The issue was responsibly reported by an anonymous researcher through the Trend Micro Zero Day Initiative. HPE’s remediation requires upgrading to APLS 9.19 or later, with no known workarounds beyond patching. Additional defensive measures include restricting network access to license servers, isolating them behind VPNs or dedicated management networks, and monitoring for anomalous authentication attempts.
Organizations running affected versions are advised to apply the update promptly, as the flaw exposes high-value infrastructure to potential unauthorized access.
Source: https://gbhackers.com/hpe-autopass-vulnerability/
Hewlett Packard Enterprise cybersecurity rating report: https://www.rankiteo.com/company/hewlett-packard-enterprise
"id": "HEW1772540968",
"linkid": "hewlett-packard-enterprise",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Technology/IT',
'name': 'Hewlett Packard Enterprise (HPE)',
'type': 'Corporation'}],
'attack_vector': 'Network',
'date_publicly_disclosed': '2026-02-27',
'date_resolved': '2026-02-28',
'description': 'Hewlett Packard Enterprise (HPE) has addressed a severe '
'remote authentication-bypass vulnerability in its AutoPass '
'License Server (APLS), tracked as CVE-2026-23600, which could '
'allow unauthenticated attackers to bypass login controls over '
'the network.',
'impact': {'operational_impact': 'Unauthorized access to protected '
'functionality',
'systems_affected': 'AutoPass License Server (APLS)'},
'post_incident_analysis': {'corrective_actions': 'Patch management (upgrade '
'to APLS 9.19 or later), '
'network segmentation, '
'enhanced monitoring',
'root_causes': 'Authentication bypass '
'vulnerability in AutoPass License '
'Server (APLS)'},
'recommendations': 'Organizations running affected versions are advised to '
'apply the update promptly to mitigate exposure to '
'potential unauthorized access.',
'references': [{'source': 'HPE Security Bulletin HPESBGN05003 rev.1'},
{'source': 'Trend Micro Zero Day Initiative'}],
'response': {'containment_measures': 'Restricting network access to license '
'servers, isolating them behind VPNs or '
'dedicated management networks',
'enhanced_monitoring': 'Monitoring for anomalous authentication '
'attempts',
'network_segmentation': 'Isolating license servers behind VPNs '
'or dedicated management networks',
'remediation_measures': 'Upgrading to APLS 9.19 or later'},
'title': 'HPE Patches Critical Authentication Bypass Flaw in AutoPass License '
'Server',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'CVE-2026-23600'}