A CVSS 9.8 authentication bypass in HPE Aruba's AOS-CX operating system requires no credentials, no privileges, and no user interaction to trigger — and its worst-case outcome is full administrative control of enterprise network switches that underpin campus and data center operations across thousands of organizations worldwide.
On March 10, 2026, Hewlett Packard Enterprise published Security Bulletin HPESBNW05027, disclosing five vulnerabilities in the Aruba Networking AOS-CX operating system. The most severe of the five — CVE-2026-23813 — scored a near-maximum 9.8 on the CVSSv3.1 scale and describes an authentication bypass in the web-based management interface that, under specific conditions, allows a completely unauthenticated remote attacker to reset the administrator password of an affected switch. HPE stated in the advisory that it was not aware of any public exploit code or active exploitation at the time of publication, but security researchers have since flagged the vulnerability as a high-priority remediation target given the role these devices play in enterprise infrastructure.
What Is AOS-CX and Why Does It Matter
AOS-CX is the Linux-based cloud-native network operating system developed by Aruba Networks, an HPE subsidiary, for the company's CX-series line of campus and data center switches. Unlike traditional switch operating systems, AOS-CX was built from the ground up to support automation workflows, REST APIs, and a browser-based management interface — capabilities that make it attractive for modern, programmable network environments. The same capabilities that make it flexible, however, also expand its attack surface.
The Aruba CX platform serves a broad cross-section of enterprise infrastructure: CX 6000 and 6100 series devices operate at the network access layer, while CX 6200, 6300, and 6400 series devices handle aggregation and distribution. At the top of the stack, CX 8320, 8325, 8360, and 8400 series devices are deployed in high-density data center environments, and the CX 9300 and CX 10000 are purpose-built for data center spine roles including distributed services and security enforcement. Compromise of any switch running AOS-CX does not affect only that device — it affects every host, server, and service sitting behind it.
HPE reported revenues of $30.1 billion in 2024 and serves over 55,000 enterprise customers, including 90 percent of Fortune 500 companies. Aruba networking hardware is embedded in organizations across finance, healthcare, government, and critical infrastructure. The scale of potential exposure makes CVE-2026-23813 a vulnerability that demands organizational attention, not just a ticket in a patch queue.
The Vulnerability: Technical Root Cause
CVE-2026-23813 resides in the web-based management interface of AOS-CX. The CVSS 3.1 vector string — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — tells the full story before a single line of the advisory is read. The attack vector is network-based. The attack complexity is low. No privileges are required. No user interaction is needed. The impact on confidentiality, integrity, and availability is each rated high.
The root cause involves insufficient validation of requests sent to the password reset functionality within the web management interface. The interface fails to properly validate session tokens for specific administrative endpoints, allowing a crafted HTTP request to trigger the password reset process without valid authentication credentials or an established session. In practice, this means an attacker with network access to the management interface — whether over LAN, over a routed management network, or over a reachable REST endpoint — can send a targeted request that resets the admin password without ever logging in.
"A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password." — HPE Security Bulletin HPESBNW05027
The vulnerability was discovered and responsibly disclosed to HPE Aruba Networking through their bug bounty program by a researcher identified as "moonv." HPE credited this researcher in the advisory and confirmed that patches were prepared and released in coordination with the disclosure. As of the time of publication, no public proof-of-concept exploit code had been released and no active exploitation campaigns had been observed in the wild. That status can change quickly once a critical vulnerability of this nature enters public awareness.
The IONIX research team confirmed it is actively tracking exploitation attempts against CVE-2026-23813. Organizations running unpatched AOS-CX versions should treat this as a priority remediation, not a scheduled maintenance item. The window between vulnerability disclosure and weaponized exploit code has historically been measured in days for critical network infrastructure flaws.
The Full Advisory: Five CVEs, One Platform
While CVE-2026-23813 commands the most attention, Security Bulletin HPESBNW05027 covers four additional vulnerabilities in AOS-CX. Understanding the full advisory matters because several of these issues interact in ways that amplify the risk of CVE-2026-23813 in practice.
| CVE | CVSS | Severity | Type | Auth Required | Reported By |
|---|---|---|---|---|---|
| CVE-2026-23813 | 9.8 | Critical | Authentication Bypass / Admin Password Reset | None | moonv (Bug Bounty) |
| CVE-2026-23814 | 8.8 | High | Authenticated Command Injection (CLI) | Low privilege | Italy's National Cybersecurity Agency |
| CVE-2026-23815 | 7.2 | High | Authenticated Command Injection (custom binary) | High privilege | Not disclosed |
| CVE-2026-23816 | 7.2 | High | Authenticated Command Injection (CLI) | Authenticated | Not disclosed |
| CVE-2026-23817 | 6.5 | Medium | Unauthenticated Open Redirect (web interface) | None | Not disclosed |
CVE-2026-23814, rated 8.8, is a command injection vulnerability in the AOS-CX CLI that a low-privilege authenticated attacker can exploit by inserting shell metacharacters into command parameters, breaking out of the restricted CLI environment and executing arbitrary code with the privileges of the AOS-CX process. Italy's National Cybersecurity Agency discovered and reported this flaw.
CVE-2026-23815 and CVE-2026-23816, both scored at 7.2, are also command injection flaws but require higher-privilege authenticated access. CVE-2026-23815 targets a custom binary used by the administrative CLI. An attacker supplying maliciously crafted administrative inputs can bypass sanitization and reach the underlying OS kernel. CVE-2026-23816 exploits inadequate input filtering in the command-line parser itself, allowing an authenticated attacker to run arbitrary commands on the switch's underlying Linux system and establish a persistent foothold.
CVE-2026-23817, rated 6.5, is an open redirect vulnerability in the web management interface that allows unauthenticated attackers to redirect users to arbitrary external URLs, creating a phishing vector that can be used to harvest credentials.
The Attack Chain: From Unauthenticated to Full Control
Considered in isolation, CVE-2026-23814 requires an authenticated session. But when combined with CVE-2026-23813, the authentication requirement collapses entirely. An attacker who first exploits the authentication bypass to reset the administrator password gains administrative access to the switch. From that position, they can leverage any of the authenticated command injection vulnerabilities to move from the management interface into the underlying Linux operating system.
This chained scenario — bypass authentication, reset admin password, inject commands — gives an attacker a fully unauthenticated path to the underlying Linux environment. From there, an attacker can modify routing tables, disable access control lists, intercept traffic flows, exfiltrate credentials stored in configuration files, install persistent backdoors, or simply take the switch offline. Because AOS-CX devices commonly sit at the aggregation and core layers of enterprise networks, the downstream impact of a single compromised device can cascade across an entire organization's connectivity and security posture.
"Exploitation of this Aruba vulnerability potentially gives attackers full control of AOS-CX network devices and the ability to compromise an entire system undetected." — Ross Filipek, CISO at Corsica Technologies, quoted by SecurityWeek
No APT groups or criminal threat actors have been attributed to exploitation of CVE-2026-23813 as of the publication of this article. Neither MITRE ATT&CK, HPE's advisory, nor open-source threat intelligence sources have recorded active campaigns targeting this specific vulnerability. That said, the historical pattern for critical network infrastructure flaws is clear: public disclosure accelerates the development of weaponized exploits, and network devices running management interfaces reachable from internal networks represent high-value, high-yield targets for ransomware operators and state-sponsored actors alike. Organizations should not wait for attributed exploitation before acting.
Affected Versions and Patched Releases
The vulnerability affects multiple AOS-CX software branches that are widely deployed across enterprise environments. HPE has released patched versions for actively supported branches. Devices running end-of-support software versions are expected to be affected and will not receive official patches.
| AOS-CX Branch | Vulnerable Through | Fixed Version |
|---|---|---|
| 10.17.xxxx | 10.17.0001 and earlier | 10.17.1001 or later |
| 10.16.xxxx | 10.16.1020 and earlier | 10.16.1030 or later |
| 10.13.xxxx | 10.13.1160 and earlier | 10.13.1161 or later |
| 10.10.xxxx | 10.10.1170 and earlier | 10.10.1180 or later |
Affected hardware families span a substantial portion of the Aruba CX portfolio. SecurityWeek confirmed the impacted models as the CX 4100i, CX 6000, CX 6100, CX 6200, CX 6300, CX 6400, CX 8320, CX 8325, CX 8360, CX 9300, and CX 10000 series switches. Beyond Machines additionally identified the CX 6200F and CX 8400 as part of the affected product set. For the authoritative and complete list, organizations should reference HPE Security Bulletin HPESBNW05027 directly at support.hpe.com.
Organizations running end-of-support AOS-CX versions face a harder problem. Those devices will not receive patches from HPE regardless of the severity of the vulnerability. For networks that include legacy AOS-CX hardware on unsupported firmware, compensating controls — particularly strict management network isolation — become the primary available protection until hardware refresh or alternate mitigations can be implemented.
Mitigation When Patching Is Not Immediate
Applying the patched AOS-CX releases documented above is the only permanent remediation. For environments where immediate upgrades are not operationally feasible, HPE documented a set of compensating controls in the advisory that reduce exposure of the management plane without requiring a software update.
The foundation of these compensating controls is management network isolation. Restricting access to all AOS-CX management interfaces to a dedicated Layer 2 segment or VLAN prevents the web interface from being reachable from untrusted internal segments, partner networks, or any path with external exposure. This single control eliminates a substantial portion of the attack surface for CVE-2026-23813, since the vulnerability requires network-level access to the management interface to trigger. If an attacker cannot reach the interface, they cannot exploit the flaw.
Layered on top of isolation, HPE recommends enforcing control plane access control lists (ACLs) to ensure that only explicitly trusted host addresses can connect to HTTPS and REST management endpoints. This limits the blast radius of any configuration error or unintended reachability that might expose the management plane despite VLAN segmentation. Organizations should also disable HTTP and HTTPS management interfaces on switched virtual interfaces (SVIs) and routed ports where administrative access is not required — reducing the total number of listening endpoints that need to be protected.
Finally, comprehensive logging and monitoring of management interface activity is essential for detecting unauthorized access attempts or unexpected configuration changes. Given that successful exploitation of CVE-2026-23813 would produce an admin password reset event, monitoring for unexpected credential modification activity in management interface logs is a direct detection opportunity during the window before patching is complete.
This is not the first critical authentication vulnerability HPE has disclosed in recent months. In July 2025, HPE warned of hardcoded credentials in Aruba Instant On Access Points (CVE-2025-37103, CVSS 9.8) that allowed attackers to bypass authentication entirely. In January 2026, CISA flagged a maximum-severity HPE OneView vulnerability as actively exploited. The pattern reflects a broader challenge in enterprise networking: the management planes of network infrastructure are high-value targets that require the same patching discipline applied to endpoints and servers.
Key Takeaways
- The vulnerability requires no credentials to exploit. CVE-2026-23813 is network-exploitable, requires no privileges, and needs no user interaction. Any AOS-CX switch with a reachable management interface and an unpatched firmware version is exposed to a complete administrative takeover.
- It chains with authenticated vulnerabilities to produce a fully unauthenticated OS-level compromise. CVE-2026-23813 and CVE-2026-23814 together create a realistic path from an unauthenticated network position to arbitrary command execution on the underlying Linux OS — with no credentials required at any point in the chain.
- Patched versions are available for all supported branches. AOS-CX 10.17.1001, 10.16.1030, 10.13.1161, and 10.10.1180 resolve all five vulnerabilities disclosed in Security Bulletin HPESBNW05027. Organizations should prioritize these updates, particularly for switches operating at aggregation, core, and data center spine roles.
- End-of-support devices will not receive patches and must rely on compensating controls. For legacy hardware, strict management network isolation and control plane ACLs are the primary available protections. These devices should be flagged for hardware refresh planning.
- No exploitation has been observed yet, but the window is narrowing. Disclosure of a CVSS 9.8 network authentication bypass in widely deployed enterprise hardware accelerates attacker interest. Organizations should not treat the absence of current exploitation as a reason to defer action.
Network devices are not servers, and they are rarely treated with the same urgency in enterprise patch management workflows. CVE-2026-23813 is a precise example of why that asymmetry is dangerous. The management plane of a core switch is as consequential as the most sensitive server in a data center — and in many cases, it is a single hop away from every one of them. Getting patching right on this one matters.
- HPE Security Bulletin HPESBNW05027 — support.hpe.com
- BleepingComputer, "HPE warns of critical AOS-CX flaw allowing admin password resets" — bleepingcomputer.com
- SecurityWeek, "Critical HPE AOS-CX Vulnerability Allows Admin Password Resets" — securityweek.com
- CyCognito, "Emerging Threat: HPE Aruba AOS-CX Pre-Auth RCE" — cycognito.com
- Security Affairs, "Hewlett Packard Enterprise fixes critical authentication bypass in Aruba AOS-CX" — securityaffairs.com
- CSO Online, "Critical flaw in HPE Aruba CX switches lets attackers seize admin control without credentials" — csoonline.com
- Field Effect, "Critical authentication bypass in Aruba AOS-CX impacts CX-series switches" — fieldeffect.com
- IONIX Threat Center, "CVE-2026-23813" — ionix.io
- Cyber Security Agency of Singapore, "Critical Vulnerabilities in Aruba Networking AOS-CX" — csa.gov.sg
- Beyond Machines, "HPE Patches Multiple Flaws Aruba AOS-CX Including Critical Allowing Admin Password Resets" — beyondmachines.net
- Rescana, "CVE-2026-23813: Critical Authentication Bypass in HPE Aruba AOS-CX" — rescana.com