HPE warns of critical AOS-CX flaw allowing admin password resets
Source: Bleeping Computer
Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS‑CX operating system, including several authentication and code‑execution issues. AOS‑CX is a cloud‑native network operating system (NOS) developed by HPE subsidiary Aruba Networks for the company’s CX‑series campus and data‑center switch devices.
Vulnerability Details
The most severe flaw is a critical authentication bypass vulnerability (tracked as CVE‑2026‑23813). An unauthenticated remote actor can exploit this low‑complexity attack to reset admin passwords via the web‑based management interface.
“A vulnerability has been identified in the web‑based management interface of AOS‑CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password,” HPE said.
HPE noted that it is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the advisory release date.
Mitigation Recommendations
If you cannot apply the security updates immediately, consider the following measures:
- Restrict access to all management interfaces to a dedicated Layer 2 segment or VLAN to isolate management traffic.
- Implement strict Layer 3 (and above) policies to allow only authorized, trusted hosts to reach management interfaces.
- Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports where management access is unnecessary.
- Enforce Control Plane Access Control Lists (ACLs) on any REST/HTTP‑enabled management interfaces, permitting only trusted clients to connect to HTTPS/REST endpoints.
- Enable comprehensive accounting, logging, and monitoring of all management‑interface activity to detect and respond to unauthorized access attempts.
Related Security Advisories
- July 2025: HPE warned of hard‑coded credentials in Aruba Instant On Access Points, which could allow attackers to bypass standard device authentication. (source)
- June 2025: HPE patched eight vulnerabilities in its StoreOnce backup and deduplication solution, including a critical authentication bypass and three remote code execution flaws. (source)
- January 2025: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a maximum‑severity HPE OneView vulnerability as actively exploited. (source)
Company Information
- Over 61,000 employees worldwide.
- Reported revenues of $30.1 billion in 2024.
- Serves more than 55,000 enterprise customers, including 90 % of Fortune 500 companies.