HPE Aruba Networking has released patches for five vulnerabilities in its AOS-CX switch software, the most severe of which could let a remote attacker take administrative control of enterprise network switches without any credentials.
The critical flaw, CVE-2026-23813, scored 9.8 out of 10 on the CVSSv3.1 scale. According to a security advisory HPE published on Tuesday, the vulnerability sits in the web-based management interface of AOS-CX switches. It requires no authentication, no privileges, and no user interaction to exploit, and can be triggered entirely over the network.
“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls,” HPE said in a security advisory. “In some cases this could enable resetting the admin password.”
A researcher identified as “moonv” discovered and reported the vulnerability through HPE Aruba Networking’s bug bounty program, the advisory added.
The same advisory covers three further vulnerabilities in the AOS-CX command-line interface, all rated high severity, alongside a medium-rated open redirect flaw in the web interface.
CLI command injection flaws add to the risk
All three CLI vulnerabilities involve command injection, but differ in the level of access an attacker needs to exploit them.
CVE-2026-23814, scored 8.8, requires only low-level authenticated access. A remote attacker with minimal privileges could inject malicious commands through parameters in a CLI command, resulting in unwanted behavior, the advisory said. Italy’s National Cybersecurity Agency discovered and reported the flaw.
The other two CLI flaws, CVE-2026-23815 and CVE-2026-23816, both scored 7.2, need higher administrative privileges but still let an authenticated attacker run arbitrary commands on the underlying operating system, the advisory said. A fifth vulnerability, CVE-2026-23817, rated medium at 6.5, lets an unauthenticated attacker redirect users to an arbitrary URL through the web management interface.
“Exploitation of this Aruba vulnerability potentially gives attackers full control of AOS-CX network devices and the ability to compromise an entire system undetected,” said Ross Filipek, CISO at Corsica Technologies. “A successful compromise could lead to the disruption of network communications or the erosion of the integrity of key business services. This flaw is a reminder that vulnerabilities in network devices are becoming more common in today’s hyper-connected world. When attackers gain privileged access to these devices, it puts organizations at significant risk.”
HPE Aruba Networking said in the advisory that it was “not aware of any public discussion or exploit code targeting these specific vulnerabilities” as of publication. The vulnerabilities, however, affect a broad range of AOS-CX deployments across both campus and data center environments.
Exposure spans campus to data center switching
The vulnerabilities affect AOS-CX software across four active version branches, spanning entry-level campus switches to data center-class hardware. Versions that reached the end of support before the advisory’s publication are also expected to be vulnerable, the advisory said. Organizations running AOS-CX 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, or 10.10.1170 and below are affected, the advisory added.
The disclosure follows a series of recent HPE security advisories. In December 2025, HPE patched a maximum-severity remote code execution (RCE) flaw in its OneView infrastructure management software that affected all versions from 5.20 through 10.20. Weeks later, CISA added that flaw to its Known Exploited Vulnerabilities catalog, setting a January 28 deadline for federal civilian agencies to patch.
What to do before patching
The advisory recommended isolating switch management interfaces to a dedicated Layer 2 segment or VLAN, enforcing firewall policies at Layer 3 and above to limit access to authorized hosts, and disabling HTTP and HTTPS interfaces on Switched Virtual Interfaces and routed ports where management access is not needed.
Enforcing Control Plane Access Control Lists on REST and HTTPS endpoints and enabling comprehensive logging of management interface activity were also recommended, the advisory said. “HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone,” the advisory noted.