HPE Aruba AOS-CX vulnerabilities addressed, including critical password reset flaw

Hewlett Packard Enterprise (HPE) has released patches for several vulnerabilities affecting its Aruba AOS-CX operating system, including a critical flaw that could allow attackers to reset administrator passwords. The most severe issue, CVE-2026-23813, carries a CVSS score of 9.8 and enables unprivileged attackers to bypass authentication with low complexity, according to a recent report by Security Affairs.

The critical vulnerability, CVE-2026-23813, resides in the web-based management interface of AOS-CX switches. HPE also addressed four other vulnerabilities: CVE-2026-23814 and CVE-2026-23815, both authenticated command injection flaws with CVSS scores of 8.8 and 7.2 respectively, allowing for arbitrary code execution; CVE-2026-23816, another authenticated command injection flaw (CVSS 7.2); and CVE-2026-23817, an unauthenticated open redirect vulnerability (CVSS 6.5) in the web interface. HPE has stated there is no evidence of these vulnerabilities being exploited in the wild.

Additionally, a separate advisory from July 2025 detailed hardcoded credentials in Aruba Instant On Wi-Fi devices (CVE-2025-37103), impacting small and medium-sized businesses. HPE recommends isolating management interfaces, limiting access, and disabling unnecessary services to mitigate risks.

Source: Security Affairs