Hewlett Packard Enterprise (HPE) fixed several flaws in Aruba AOS-CX, including a critical bug that lets attackers reset admin passwords.
Hewlett Packard Enterprise (HPE) patched multiple vulnerabilities in Aruba AOS-CX, the operating system used in Aruba CX switches. The most severe issue, tracked as CVE-2026-23813 (CVSS score of 9.8), allows unprivileged attackers to bypass authentication and reset administrator passwords via a low-complexity attack.
“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password.” reads the advisory.
To reduce the risk from CVE-2026-23813, Hewlett Packard Enterprise recommends isolating management interfaces on a dedicated VLAN, limiting access only to trusted hosts, disabling unnecessary HTTP/HTTPS management interfaces, enforcing ACLs for REST/HTTPS access, and enabling logging and monitoring to quickly detect unauthorized activity.
The researcher moonv reported the vulnerability through HPE Aruba Networking’s Bug Bounty program.
HPE also addressed the following vulnerabilities:
- CVE-2026-23814 (CVSS score of 8.8) – Authenticated Command Injection in AOS-CX CLI command lets low-privilege remote attackers inject malicious commands via crafted parameters, leading to arbitrary code execution.
- CVE-2026-23815 (CVSS score of 7.2) – Authenticated Command Injection in high-privilege AOS-CX CLI custom binary allows remote attackers to execute unauthorized OS commands on the underlying system.
- CVE-2026-23816 (CVSS score of 7.2) – Authenticated Command Injection in AOS-CX CLI allows remote attackers to execute arbitrary OS commands via crafted input in the command line interface.
- CVE-2026-23817 (CVSS score of 6.5) – Unauthenticated Open Redirect in AOS-CX web interface enables remote attackers to redirect users to arbitrary malicious URLs via crafted requests, potentially leading to phishing attacks.
HPE Aruba Networking has no evidence of attacks in the wild exploiting these vulnerabilities.
“HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory.” conitnues the advisory.
In July 2025, HPE disclosed hardcoded credentials in Aruba Instant On Wi-Fi devices that allow attackers to bypass login and access the web interface. The flaw tracked as CVE-2025-37103 (CVSS score of 9.8) impacts devices running firmware version 3.2.0.1 and below.
Aruba Instant On is a line of plug-and-play Wi-Fi access points are designed specifically for small and medium-sized businesses (SMBs). The product provides reliable, secure, and easy-to-manage wireless networks without the complexity or cost of enterprise systems.
“Hardcoded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication.” reads the advisory. “Successful exploitation could allow a remote attacker to gain administrative access to the system.”
In July 2025, HPE disclosed hardcoded credentials in Aruba Instant On Wi-Fi devices that allow attackers to bypass login and access the web interface. The flaw tracked as CVE-2025-37103 (CVSS score of 9.8) impacts devices running firmware version 3.2.0.1 and below.
Aruba Instant On is a line of plug-and-play Wi-Fi access points are designed specifically for small and medium-sized businesses (SMBs). The product provides reliable, secure, and easy-to-manage wireless networks without the complexity or cost of enterprise systems.
“Hardcoded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication.” reads the advisory. “Successful exploitation could allow a remote attacker to gain administrative access to the system.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, HPE)
