Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues.
AOS-CX is a cloud-native network operating system (NOS) developed by HPE subsidiary Aruba Networks for the company’s CX-series campus and data center switch devices.
The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords.
“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password,” HPE said.
“HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory.”
IT admins who can’t immediately apply today’s security updates to patch vulnerable switches can take one of the following mitigation measures:
- Restrict access to all management interfaces to a dedicated Layer 2 segment or VLAN to isolate management traffic.
- Implement strict policies at Layer 3 and above to control access to management interfaces, allowing only authorized and trusted hosts.
- Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports wherever management access is not required.
- Enforce Control Plane Access Control Lists (ACLs) to protect any REST/HTTP-enabled management interfaces, ensuring only trusted clients are allowed to connect to the HTTPS/REST endpoints.
- Enable comprehensive accounting, logging, and monitoring of all management interface activities to detect and respond to unauthorized access attempts.
HPE has yet to find publicly available proof-of-concept exploit code or evidence that attackers are abusing the vulnerabilities in the wild.
In July 2025, the company also warned of hardcoded credentials in Aruba Instant On Access Points that could allow attackers to bypass standard device authentication.
One month earlier, HPE patched eight vulnerabilities in its StoreOnce disk-based backup and deduplication solution, including another critical-severity authentication bypass and three remote code execution flaws.
More recently, in January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a maximum-severity HPE OneView vulnerability as exploited in attacks.
HPE has over 61,000 employees worldwide, has reported revenues of $30.1 billion in 2024, and provides services and products to over 55,000 enterprise customers worldwide, including 90% of Fortune 500 companies.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
