HPE AOS-CX Switches Vulnerable to Admin Password Reset (CVSS 9.8)

Hewlett Packard Enterprise has disclosed a critical authentication bypass vulnerability in its Aruba AOS-CX switch operating system that could allow remote attackers to reset administrator passwords without credentials.

The flaw, tracked as CVE-2026-23813, carries a CVSS score of 9.8 and affects the web-based management interface across multiple AOS-CX switch families. Successful exploitation gives attackers full administrative control over enterprise network infrastructure—a worst-case scenario for any organization relying on these devices.

What's Vulnerable

The vulnerability exists in the web management interface of the following Aruba switch series:

• CX 4100i
• CX 6000, 6100, 6200, 6300, 6400
• CX 8320, 8325, 8360
• CX 9300
• CX 10000

The attack is low-complexity and requires no authentication. An attacker with network access to the management interface can simply craft a request that bypasses authentication controls and resets the administrator password. From there, they own the switch.

This vulnerability pattern—authentication bypass in network appliances—continues to plague enterprise equipment. We've seen similar issues across vendors this year, though few reach CVSS 9.8.

Three More Command Injection Flaws

HPE's security bulletin addresses four vulnerabilities total. Beyond the critical auth bypass, three high-severity command injection flaws affect the CLI:

• CVE-2026-23814 (CVSS 8.8): Authenticated remote attackers can inject commands via crafted CLI parameters
• CVE-2026-23815 (CVSS 7.2): Command injection in high-privilege CLI binaries
• CVE-2026-23816 (CVSS 7.2): Additional CLI command injection vector

A fifth issue, CVE-2026-23817 (CVSS 6.5), enables unauthenticated open redirects through the web interface.

The command injection flaws require authentication to exploit, but attackers who chain CVE-2026-23813 with any of these could achieve arbitrary code execution on compromised switches.

No Exploitation Yet—Patch Anyway

HPE states there's no evidence of active exploitation. But the severity score and attack simplicity make this a race against time once proof-of-concept code appears.

Security researcher "moonv" discovered the vulnerability and reported it through HPE's Aruba Networking Bug Bounty program.

Organizations should upgrade to patched AOS-CX versions immediately. The specific fixed versions vary by switch model—check HPE's security advisory for your hardware.

If patching isn't possible right now, HPE recommends these mitigations:

1. Isolate management interfaces on dedicated VLANs
2. Restrict management access to trusted hosts only
3. Disable HTTP/HTTPS management interfaces where unnecessary
4. Enforce access control lists for REST/HTTPS access
5. Enable comprehensive logging and monitoring

The last point matters for detection. Organizations should monitor for unusual authentication attempts or password changes on network equipment, especially from unexpected source IPs.

Network Equipment Under Siege

This disclosure continues a pattern of critical vulnerabilities in network infrastructure. We covered Cisco SD-WAN flaws exploited by sophisticated threat actors earlier this month, and BeyondTrust's pre-auth RCE affecting over 11,000 exposed instances.

Network devices sit at privileged positions within enterprise environments. Compromising a core switch gives attackers visibility into traffic flows, the ability to modify routing, and a pivot point for lateral movement that's difficult to detect with endpoint-focused security tools.

For defenders managing HPE Aruba infrastructure, treat this as an emergency patch cycle. The combination of unauthenticated access, critical severity, and potential for full device takeover leaves no room for delay.