CVE-2025-37105 is a high-severity remote code execution (RCE) vulnerability affecting Hewlett Packard Enterprise's AutoPass License Server (APLS) versions prior to 9.18. The vulnerability is related to the use of hsqldb (HyperSQL DataBase), an embedded Java SQL database engine, within the APLS product. Specifically, it is categorized under CWE-94, which indicates improper control of code generation or execution, often leading to code injection or execution flaws. This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the affected server without requiring user interaction. The CVSS v3.1 base score is 7.5, reflecting high impact on confidentiality, integrity, and availability, but with attack vector limited to adjacent network (AV:A) and high attack complexity (AC:H). The vulnerability does not require privileges or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the potential for exploitation exists given the nature of RCE vulnerabilities. The lack of available patches at the time of publication further elevates the risk for organizations using vulnerable versions of HPE AutoPass License Server. The vulnerability could be exploited by sending crafted requests that leverage the hsqldb component to execute malicious code, potentially compromising the license server and any connected infrastructure.

For European organizations, the impact of this vulnerability could be significant, especially for those relying on HPE AutoPass License Server to manage software licenses and entitlements. Compromise of the license server could lead to unauthorized access to license management data, disruption of license validation processes, and potential lateral movement within the network. This could result in operational downtime, loss of critical licensing functionality, and exposure of sensitive business information. Additionally, since the vulnerability allows remote code execution, attackers could deploy malware, ransomware, or establish persistent backdoors, amplifying the damage. Given that many European enterprises and public sector organizations use HPE products, the risk extends to critical infrastructure and services. The adjacent network attack vector suggests that attackers need to be on the same or connected network segment, which might limit exposure but still poses a threat in segmented or cloud environments. The high attack complexity may reduce the likelihood of widespread exploitation but does not eliminate targeted attacks against high-value European targets.

Organizations should prioritize upgrading HPE AutoPass License Server to version 9.18 or later once patches become available. Until then, network segmentation should be enforced to restrict access to the license server, limiting it to trusted hosts only. Monitoring and logging of network traffic to and from the license server should be enhanced to detect anomalous activities indicative of exploitation attempts. Implement strict firewall rules to block unauthorized access to the server's management interfaces. Employ intrusion detection/prevention systems (IDS/IPS) with signatures tuned for hsqldb-related exploits. Conduct regular vulnerability scans and penetration tests focusing on license server components. Additionally, organizations should review and harden the configuration of the hsqldb component, disabling any unnecessary features or services. Incident response plans should be updated to include scenarios involving license server compromise. Finally, maintain close communication with Hewlett Packard Enterprise for timely updates and advisories regarding this vulnerability.