HPE Patches Multiple Flaws Aruba AOS-CX Including Critical Allowing Admin Password Resets

Hewlett Packard Enterprise (HPE) reports an urgent security advisory for its Aruba Networking AOS-CX operating system, which powers CX-series campus and data center switches. The update patches five security vulnerabilities that range from medium to critical severity. 

Vulnerabilities summary:

• CVE-2026-23813 (CVSS score 9.8) - A critical authentication bypass in the web-based management interface that allows unauthenticated remote actors to circumvent security controls. The flaw occurs because the interface fails to properly validate session tokens for specific administrative endpoints, allowing an attacker to send a crafted request to reset the admin password. Successful exploitation results in a complete takeover of the switch management console, granting the attacker full control over network configurations and traffic.
• CVE-2026-23814 (CVSS score 8.8) - A command injection vulnerability within the parameters of specific CLI commands that allows low-privilege authenticated attackers to execute unauthorized code. By including shell metacharacters in command arguments, an attacker can break out of the restricted CLI environment and run commands with the privileges of the AOS-CX process. This bypasses the principle of least privilege and allows an attacker to manipulate system files or disrupt network services.
• CVE-2026-23815 (CVSS score 7.2) - A command injection flaw in a custom binary used by the administrative CLI that enables high-privilege authenticated users to perform unauthorized actions. The vulnerability is triggered when the binary processes maliciously crafted administrative inputs without sufficient sanitization, leading to the execution of arbitrary system commands. This allows an administrator to escape the intended management scope and gain direct access to the underlying operating system kernel.
• CVE-2026-23816 (CVSS score 7.2) - A command injection vulnerability in the CLI of AOS-CX switches that permits authenticated remote attackers to run arbitrary commands on the underlying Linux-based operating system. The flaw stems from inadequate input filtering in the command-line parser, which fails to block malicious escape sequences. An attacker can use this to gain a persistent foothold on the switch hardware, potentially exfiltrating sensitive configuration data or credentials.
• CVE-2026-23817 (CVSS score 6.5) - An unauthenticated open redirect vulnerability in the web-based management interface that allows attackers to redirect users to arbitrary external URLs. By manipulating URL parameters in the management login page, an attacker can trick administrators into visiting a malicious site that mimics the legitimate login portal. This is a critical component of credential harvesting attacks, as it leverages the trust associated with the switch's own IP address or hostname.

A successful exploit of CVE-2026-23813 grants an attacker full administrative access to core networking infrastructure. Once the admin password is reset, an attacker can modify network configurations, intercept traffic, or shut down critical services. 

The vulnerabilities affect HPE Aruba Networking hardware running AOS-CX software versions 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, and 10.10.1170 and below. Impacted models include the Aruba CX 10000, 4100i, 6000, 6100, 6200F, 6300, 6400, 8320, 8325, 8360, 8400, and 9300 switch series. 

HPE also notes that any software versions that have reached End of Support are likely affected but will not receive official patches.

Administrators should upgrade to AOS-CX versions 10.17.1001, 10.16.1030, 10.13.1161, or 10.10.1180 and above. If immediate patching is not possible, HPE recommends isolating all management interfaces to a dedicated Layer 2 segment or VLAN. Additionally, administrators should enforce Control Plane Access Control Lists (ACLs) to restrict REST and HTTP access to trusted hosts only. Disabling the HTTP/HTTPS interfaces on routed ports and Switched Virtual Interfaces (SVIs) where management access is not required provides an extra layer of defense.