VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 30, 2018· Updated Sep 17, 2024

CVE-2018-6499

CVE-2018-6499

Description

Remote code execution vulnerability in AutoPass License Server (APLS) used by multiple Micro Focus containerized suites, affecting versions prior to 10.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Remote code execution vulnerability in AutoPass License Server (APLS) used by multiple Micro Focus containerized suites, affecting versions prior to 10.7.

Vulnerability

CVE-2018-6499 is a remote code execution vulnerability in the Micro Focus AutoPass License Server (APLS), a component used by several containerized suites. The affected products include: Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05; Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05; Data Center Automation Containerized Suite 2017.01 through 2018.05; Service Management Automation Suite 2017.11, 2018.02, 2018.05; Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05; and Micro Focus Network Virtualization (NV), Unified Functional Testing (UFT), and Service Virtualization (SV) with floating licenses using any APLS version older than 10.7 [1][2][3][4].

Exploitation

This vulnerability is network-accessible (AV:A) and requires that an attacker has high privileges (PR:H) and some user interaction (UI:R) to be exploited [2][3][4]. While specific exploitation steps are not detailed in the available references, the condition for exploitation involves an authenticated user interacting with a malicious request, likely over the network, to trigger code execution on the APLS server.

Impact

Successful exploitation allows an attacker to achieve remote code execution on the affected system [1][2][3][4]. The CVSS v3.1 base score is 6.4, with the vector AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:H, indicating a change scope with limited confidentiality and integrity impact but high availability impact [2][3][4]. The attacker gains the ability to execute arbitrary commands, potentially compromising the license server and affecting the availability of licensed services.

Mitigation

The official fix involves upgrading AutoPass License Server (APLS) to version 10.7 or later where applicable [1]. For the containerized suites (DCA, SMA, NOM, HCM, Operations Bridge) specific fixed versions were released concurrently with the bulletin on 2018-08-30; administrators should apply the latest updates from Micro Focus as per the respective product documentation [2][3][4]. No workarounds are mentioned in the available references, and there is no indication that this CVE is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Micro Focus Network Virtualization (NV) with floating licenses, Micro Focus Unified Functional Testing (UFT) with floating licenses and Micro Focus Service Virtualization (SV) with floating licenses, remote code execution
  2. Data Center Automation Containerized (DCA) suite, remote code execution
  3. Service Management Automation (SMA) containerized, Remote Code Execution
  4. Network Operations Management (NOM) Suite CDF, Remote Code Execution

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

6

News mentions

0

No linked articles in our index yet.