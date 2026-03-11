HPE patches five vulnerabilities in Aruba AOS-CX

Critical flaw (CVE-2026-23813) allowed admin password reset

Company urges mitigations until fixes are applied

Hewlett Packard Enterprise (HPE) has warned its customers after discovering five vulnerabilities in its products, including one which cybercriminals could use to take over certain endpoints.

In a newly released security advisory, HPE said it addressed a critical authentication bypass flaw that can be used by unauthenticated attackers in low-complexity attacks, to reset admin passwords. The bug is now tracked as CVE-2026-23813, and has a severity score of 9.1/10 (critical).

It affects the Aruba Networking AOS-CX operating system, a cloud-native network OS built for HPE’s CX-series campus and data center switch hardware.

Patches and workarounds

"A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls,” HPE said in the advisory. “In some cases this could enable resetting the admin password."

The other four vulnerabilities are now tracked as CVE-2026-23814, CVE-2026-23815, CVE-2026-23816, and CVE-2026-23817, apparently affecting AOS-CX 10.17.xxxx: 10.17.0001 and below, AOS-CX 10.16.xxxx: 10.16.1020 and below, AOS-CX 10.13.xxxx: 10.13.1160 and below, and AOS-CX 10.10.xxxx: 10.10.1170 and below.

The good news is that there are no reports of abuse in the wild just yet.

If you can’t apply the fix immediately, HPE also shared a list of possible mitigations:

Restrict access to all management interfaces to a dedicated Layer 2 segment or VLAN to isolate management traffic from general network traffic,

Implement strict policies at Layer 3 and above to control access to management interfaces, permitting only authorized and trusted hosts,

Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports wherever management access is not required,

Enforce Control Plane Access Control Lists (ACLs) to protect any REST/HTTP-enabled management interfaces, ensuring only trusted clients are allowed to connect to the HTTPS/REST endpoints,

Enable comprehensive accounting, logging, and monitoring of all management interface activities to detect and respond to unauthorized access attempts promptly.

