Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Critical flaw in HPE Aruba CX switches lets attackers seize admin control without credentials

HPE Aruba Networking has released patches for five vulnerabilities in its AOS-CX switch software, the most severe of which could let a remote attacker take administrative control of enterprise network switches without any credentials.

The critical flaw, CVE-2026-23813, scored 9.8 out of 10 on the CVSSv3.1 scale. According to a security advisory HPE published on Tuesday, the vulnerability sits in the web-based management interface of AOS-CX switches. It requires no authentication, no privileges, and no user interaction to exploit, and can be triggered entirely over the network.

“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls,” HPE said in a security advisory. “In some cases this could enable resetting the admin password.”

A researcher identified as “moonv” discovered and reported the vulnerability through HPE Aruba Networking’s bug bounty program, the advisory added.

The same advisory covers three further vulnerabilities in the AOS-CX command-line interface, all rated high severity, alongside a medium-rated open redirect flaw in the web interface.

CLI command injection flaws add to the risk

All three CLI vulnerabilities involve command injection, but differ in the level of access an attacker needs to exploit them.

CVE-2026-23814, scored 8.8, requires only low-level authenticated access. A remote attacker with minimal privileges could inject malicious commands through parameters in a CLI command, resulting in unwanted behavior, the advisory said. Italy’s National Cybersecurity Agency discovered and reported the flaw.

The other two CLI flaws, CVE-2026-23815 and CVE-2026-23816, both scored 7.2, need higher administrative privileges but still let an authenticated attacker run arbitrary commands on the underlying operating system, the advisory said. A fifth vulnerability, CVE-2026-23817, rated medium at 6.5, lets an unauthenticated attacker redirect users to an arbitrary URL through the web management interface.

“Exploitation of this Aruba vulnerability potentially gives attackers full control of AOS-CX network devices and the ability to compromise an entire system undetected,” said Ross Filipek, CISO at Corsica Technologies. “A successful compromise could lead to the disruption of network communications or the erosion of the integrity of key business services. This flaw is a reminder that vulnerabilities in network devices are becoming more common in today’s hyper-connected world. When attackers gain privileged access to these devices, it puts organizations at significant risk.”

HPE Aruba Networking said in the advisory that it was “not aware of any public discussion or exploit code targeting these specific vulnerabilities” as of publication. The vulnerabilities, however, affect a broad range of AOS-CX deployments across both campus and data center environments.

Exposure spans campus to data center switching

The vulnerabilities affect AOS-CX software across four active version branches, spanning entry-level campus switches to data center-class hardware. Versions that reached the end of support before the advisory’s publication are also expected to be vulnerable, the advisory said. Organizations running AOS-CX 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, or 10.10.1170 and below are affected, the advisory added.

The disclosure follows a series of recent HPE security advisories. In December 2025, HPE patched a maximum-severity remote code execution (RCE) flaw in its OneView infrastructure management software that affected all versions from 5.20 through 10.20. Weeks later, CISA added that flaw to its Known Exploited Vulnerabilities catalog, setting a January 28 deadline for federal civilian agencies to patch.

What to do before patching

The advisory recommended isolating switch management interfaces to a dedicated Layer 2 segment or VLAN, enforcing firewall policies at Layer 3 and above to limit access to authorized hosts, and disabling HTTP and HTTPS interfaces on Switched Virtual Interfaces and routed ports where management access is not needed.

Enforcing Control Plane Access Control Lists on REST and HTTPS endpoints and enabling comprehensive logging of management interface activity were also recommended, the advisory said. “HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone,” the advisory noted.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.