CVE-2026-23813 – HPE Aruba Networking AOS-CX — Authentication Bypass in Web Management Interface

CVE-2026-23813 affects HPE Aruba Networking AOS-CX switches, specifically the web-based management interface. The CVSS score is 9.8, which is Critical severity. No real-world exploitation has been confirmed. An unauthenticated remote attacker can bypass authentication controls and reset the administrator password with no credentials required. Affected versions span four release branches: 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, and 10.10.1170 and below.

 

Full control of a core switch enables traffic interception, VLAN manipulation, port mirroring, and deep network pivoting. For server rooms, data centers, or OT environments, this is a single point of catastrophic failure. HPE has released patched firmware. Where immediate patching is not possible, restrict management interface access to trusted hosts and isolate management traffic.