Executive Summary

A critical authentication bypass vulnerability, identified as CVE-2026-23813, has been discovered in HPE Aruba Networking AOS-CX, the network operating system that powers the Aruba CX-series campus and data center switches. This vulnerability allows unauthenticated remote attackers to reset administrator passwords through the web-based management interface, potentially granting full administrative control over affected devices. While there is currently no evidence of exploitation in the wild or public proof-of-concept code, the risk is considered severe due to the low complexity of exploitation and the criticality of the impacted infrastructure. Organizations using Aruba CX-series switches are strongly advised to review their exposure and apply mitigations or patches as soon as possible.

Technical Information

The vulnerability, tracked as CVE-2026-23813, is rated as critical with a CVSS v3.1 score of 9.8. It resides in the web-based management interface of Aruba Networking AOS-CX. The flaw allows an unauthenticated remote attacker to bypass authentication controls and reset the administrator password. This is achieved by exploiting improper access control mechanisms within the management interface, enabling the attacker to gain privileged access without valid credentials.

The attack vector is remote and requires only network access to the management interface, with no prior authentication or user interaction needed. The exploitability is considered low complexity, making it feasible for attackers with moderate technical skills to leverage the flaw. Once exploited, the attacker can reset the admin password, effectively locking out legitimate administrators and gaining full control over the switch. This level of access could facilitate lateral movement within the network, disrupt operations, intercept sensitive data, or serve as a launchpad for further attacks against enterprise environments.

The vulnerability was responsibly disclosed to HPE Aruba Networking via their bug bounty program by the researcher known as "moonv." The vendor has released security advisories and patches addressing the issue. The affected products include a wide range of Aruba CX-series switches running vulnerable versions of AOS-CX. The flaw is present in multiple major and minor releases, including those that have reached end-of-support status.

The technical root cause involves insufficient validation of requests to the password reset functionality in the web management interface. Attackers can craft specific HTTP requests that trigger the password reset process without requiring authentication tokens or session validation. This bypasses the intended security controls and allows for unauthorized administrative access.

Exploitation in the Wild

As of the latest advisories and open-source reporting, there is no evidence of exploitation in the wild for CVE-2026-23813. HPE, BleepingComputer, SecurityWeek, and CSO Online all confirm that no public proof-of-concept code or exploit scripts have been released. Security researchers and vendors have not observed any active campaigns or incidents leveraging this vulnerability. However, given the criticality and exposure of the affected devices, the likelihood of exploitation increases significantly following public disclosure and patch release. Organizations should remain vigilant and monitor for any signs of suspicious activity related to their Aruba CX-series switches.

APT Groups using this vulnerability

No known APT groups or criminal threat actors have been observed exploiting CVE-2026-23813 as of this report. Neither MITRE, vendor advisories, nor open-source intelligence sources have attributed any campaigns or attacks to this vulnerability. However, the nature of the flaw—granting unauthenticated administrative access to core network infrastructure—makes it an attractive target for both state-sponsored and financially motivated actors. Historically, similar vulnerabilities in network management interfaces have been rapidly adopted by APT groups once exploit code becomes available. The broad deployment of Aruba CX-series switches in enterprise and data center environments, including critical sectors and Fortune 500 companies, further elevates the risk of future targeted exploitation.

Affected Product Versions

According to the official HPE Security Bulletin, the following versions of AOS-CX are affected:

AOS-CX 10.13.xxxx: All versions prior to and including 10.13.1160, AOS-CX 10.16.xxxx: All versions prior to and including 10.16.1020, AOS-CX 10.17.xxxx: All versions prior to and including 10.17.0001, AOS-CX 10.10.xxxx: All versions prior to and including 10.10.1170.

Fixed versions are 10.13.1170 and later, 10.16.1030 and later, and 10.17.0002 and later. Software versions of AOS-CX that are end-of-support at the time of publication are also expected to be affected.

The impacted product families include Aruba CX 6200 Series Switches, Aruba CX 6300 Series Switches, Aruba CX 6400 Series Switches, Aruba CX 8320 Series Switches, Aruba CX 8325 Series Switches, Aruba CX 8360 Series Switches, and Aruba CX 8400 Series Switches.

For a comprehensive and up-to-date list of affected and remediated versions, refer to the HPE Security Bulletin: hpesbnw05027en_us.

Workaround and Mitigation

If immediate patching is not feasible, organizations should restrict access to the management interfaces of Aruba CX-series switches to a dedicated VLAN or Layer 2 segment, and implement strict Layer 3 and higher policies to ensure that only trusted hosts can reach the management interface. Disabling HTTP and HTTPS interfaces on switch virtual interfaces (SVIs) and routed ports where not required is recommended. Enforcing control plane access control lists (ACLs) to limit REST and HTTP management access to trusted clients can further reduce exposure. Comprehensive logging and monitoring of management interface activity should be enabled to detect unauthorized access attempts or configuration changes.

The most effective mitigation is to apply the latest AOS-CX updates provided by HPE as soon as possible. These updates address the underlying vulnerability and restore the intended security posture of the management interface. Organizations should also review their network segmentation and access control strategies to minimize the attack surface of critical infrastructure components.

References

HPE Security Bulletin: hpesbnw05027en_us, BleepingComputer Coverage, SecurityWeek Article, Reddit Sysadmin Discussion, CSO Online Analysis, MITRE ATT&CK T1078, MITRE ATT&CK T1190.

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our advanced TPRM platform enables continuous monitoring, automated risk assessment, and actionable insights to strengthen your security posture. We encourage all customers to leverage our expertise and technology to stay ahead of emerging threats. If you have any questions about this advisory or require further assistance, our team is happy to help at ops@rescana.com.