-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory
==============================================
Advisory ID: HPESBNW05027
CVE: CVE-2026-23813, CVE-2026-23814, CVE-2026-23815,
     CVE-2026-23816, CVE-2026-23817
Publication Date: 2026-Mar-10
Status: Confirmed
Severity: Critical
Revision: 1


Title
=====
HPE Aruba Networking AOS-CX, Multiple Vulnerabilities


Overview
========
HPE Aruba Networking has released AOS-CX software patches 
to address multiple security vulnerabilities.


Affected Products
=================
HPE Aruba Networking AOS-CX Software Version(s):

    - AOS-CX 10.17.xxxx: 10.17.0001 and below
    - AOS-CX 10.16.xxxx: 10.16.1020 and below
    - AOS-CX 10.13.xxxx: 10.13.1160 and below 
    - AOS-CX 10.10.xxxx: 10.10.1170 and below

Software versions of AOS-CX that are End of Support at the time of 
publication of this security advisory are expected to be affected by 
these vulnerabilities unless otherwise indicated.


Unaffected Products
=================
Any other HPE Aruba Networking products not specifically listed
above are not affected by these vulnerabilities.


Details
=======

Authentication Bypass in Web Interface allows Unauthenticated Admin 
Password Reset
(CVE-2026-23813) 
- --------------------------------------------------------------------- 
  A vulnerability has been identified in the web-based management 
  interface of AOS-CX switches that could potentially allow an 
  unauthenticated remote actor to circumvent existing authentication 
  controls. In some cases this could enable resetting the admin 
  password.
 
  Internal References: VULN-149
  Severity: Critical
  CVSSv3.1 Base Score: 9.8
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 
  Discovery: This vulnerability was discovered and reported by moonv
  through HPE Aruba Networking's Bug Bounty program.
 
  Workaround: To mitigate the exposure of this vulnerability, HPE 
  Aruba Networking recommends the following mitigation measures: 
  Restrict access to all management interfaces to a dedicated Layer 2
  segment or VLAN to isolate management traffic from general network 
  traffic. Implement strict policies at Layer 3 and above to control 
  access to management interfaces, permitting only authorized and 
  trusted hosts. Disable HTTP(S) interfaces on Switched Virtual 
  Interfaces (SVIs) and routed ports wherever management access is 
  not required. Enforce Control Plane Access Control Lists (ACLs) 
  to protect any REST/HTTP-enabled management interfaces, ensuring 
  only trusted clients are allowed to connect to the HTTPS/REST 
  endpoints. Enable comprehensive accounting, logging, and 
  monitoring of all management interface activities to detect 
  and respond to unauthorized access attempts promptly.


Authenticated Command Injection found in AOS-CX CLI Command
(CVE-2026-23814)
- ---------------------------------------------------------------------
  A vulnerability in the command parameters of a certain AOS-CX CLI
  command could allow a low-privilege authenticated remote attacker 
  to inject malicious commands resulting in unwanted behavior. 
 
  Internal References: VULN-137
  Severity: High
  CVSSv3.1 Base Score: 8.8
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 
  Discovery: This vulnerability was discovered by the National 
  Cybersecurity Agency of Italy (ACN).
 
  Workaround: To minimize the likelihood of an attacker exploiting  
  this vulnerability, HPE Aruba Networking recommends that management
  interfaces be restricted to a dedicated layer 2 segment/VLAN and/or  
  controlled by firewall policies at layer 3 and above, along with  
  accounting controls for tracking and logging user activities and  
  resource usage.


Authenticated Command Injection found in AOS-CX Administrative CLI 
Command
(CVE-2026-23815) 
- --------------------------------------------------------------------- 
  A vulnerability in a custom binary used in AOS-CX Switches’
  CLI could allow an authenticated remote attacker with high 
  privileges to perform command injection. Successful exploitation 
  could allow an attacker to execute unauthorized commands.

  Internal References: VULN-147, VULN-230
  Severity: High
  CVSSv3.1 Base Score: 7.2
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
  Discovery: This vulnerability was discovered and reported by moonv
  through HPE Aruba Networking's Bug Bounty program.
 
  Workaround: To minimize the likelihood of an attacker exploiting  
  this vulnerability, HPE Aruba Networking recommends that management
  interfaces be restricted to a dedicated layer 2 segment/VLAN and/or
  controlled by firewall policies at layer 3 and above, along with  
  accounting controls for tracking and logging user activities and  
  resource usage.


Authenticated Command Injection found in admin AOS-CX CLI command
(CVE-2026-23816) 
- --------------------------------------------------------------------- 
  A vulnerability in the command line interface of AOS-CX Switches 
  could allow an authenticated remote attacker to execute arbitrary 
  commands on the underlying operating system.

  Internal References: VULN-148
  Severity: High
  CVSSv3.1 Base Score: 7.2
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
  Discovery: This vulnerability was discovered and reported by moonv
  through HPE Aruba Networking's Bug Bounty program.
 
  Workaround: To minimize the likelihood of an attacker exploiting  
  this vulnerability, HPE Aruba Networking recommends that management 
  interfaces be restricted to a dedicated layer 2 segment/VLAN and/or  
  controlled by firewall policies at layer 3 and above, along with  
  accounting controls for tracking and logging user activities and  
  resource usage.


Unauthenticated Open Redirect allows URL Manipulation in Web
Interface
(CVE-2026-23817) 
- ---------------------------------------------------------------------
  A vulnerability in the web-based management interface of AOS-CX
  Switches could allow an unauthenticated remote attacker to redirect 
  users to an arbitrary URL. 

  Internal References: VULN-58
  Severity: Medium
  CVSSv3.1 Base Score: 6.5
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
 
  Discovery: This vulnerability was discovered by Christopher 
  Simmelink through HPE Aruba Networking’s Bug Bounty program.

  Workaround: To minimize the likelihood of an attacker exploiting  
  this vulnerability, HPE Aruba Networking recommends that management  
  interfaces be restricted to a dedicated layer 2 segment/VLAN and/or  
  controlled by firewall policies at layer 3 and above, along with  
  accounting controls for tracking and logging user activities and  
  resource usage.


Resolution
==========
To address the vulnerabilities described above in the affected
software branches, it is recommended to upgrade HPE Networking 
AOS-CX to one of the following versions (as applicable):

    - AOS-CX 10.17.xxxx: AOS-CX 10.17.1001 and above
    - AOS-CX 10.16.xxxx: AOS-CX 10.16.1030 and above
    - AOS-CX 10.13.xxxx: AOS-CX 10.13.1161 and above
    - AOS-CX 10.10.xxxx: AOS-CX 10.10.1180 and above

Software versions with resolution/fixes for the vulnerabilities
covered above can be downloaded from the HPE Networking 
Support Portal at https://networkingsupport.hpe.com/home/
 
HPE Aruba Networking does not evaluate or patch software branches 
that have reached their End of Maintenance (EoM) milestone. 
For more information about HPE Aruba Networking End of Life policy 
please visit: 

https://www.hpe.com/psnow/doc/a00143052enw


Workaround
==========
Vulnerability specific workarounds are listed per vulnerability 
above. You may contact HPE Services - HPE Aruba Networking for 
assistance if needed. For more information, please visit HPE  
Networking Support Portal at https://networkingsupport.hpe.com/home.


Exploitation and Public Discussion
==================================
HPE Aruba Networking is not aware of any public discussion or exploit
code targeting these specific vulnerabilities as of the release 
date of the advisory.


Revision History
================
Revision 1 / 2026-Mar-10 / Initial release


HPE Aruba Networking SIRT Security Procedures 
==============================================
Complete information on reporting security vulnerabilities in 
HPE Aruba Networking products and obtaining assistance with 
security incidents is available at:
http://www.hpe.com/support/security-response-policy

For reporting NEW HPE Aruba Networking security issues, email 
can be sent to networking-sirt@hpe.com. For sensitive information 
we encourage the use of PGP encryption. Our public keys can be 
found at: 
https://www.hpe.com/info/psrt-pgp-key 

(c) Copyright 2026 by Hewlett Packard Enterprise Development LP. 
This advisory may be redistributed freely after the release date 
given at the top of the text, provided that the redistributed 
copies are complete and unmodified, including all data and 
version information
-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmmpkF0XHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66AvgwAnRDqUc3Rbd++Erqsl1mhBO2y
1ktFvJnI7Fbgq7KIjfIwwSOUwICCHO7L5RIQdTLB7Iw96Xe2j0u/rIWCC1A+0Sg/
r833efDZdQKuv5fAwJg4O7p//OysN9MEP8Kr6BlSCgxrXyTdNCs7HeiaWyng0qTm
LaOSmd64W8K7ACttdGvZ4F850ZlR9UCmAJv5lcXx7QgXi65P8CMMWB4jeOGa4vgA
HOvKY/7V9C0RRkYyehx/YUF89yRe7dbeUqa5C5u/e/u7v4GnzmyT0rgfgWS3Gkih
Us6CaUrSZDz+aWjD+jP1jcKJAKeMB6dyFxBNH1XB2q/DHa5m9mCWCYzMQs5ihffW
ZAJhscgugpNtBLirnLxM6meUayMubdwZkKtrjAQXHdDqLf9MqwijE7EaaMTVI/GA
ZDpFgEP47ueVohoxA51t2imOdDqP32hkI0GC+tplREQy+8gX+9IKJ7fhU62CuCEz
TIvp6l150rT8aMQOIYTEn7r1f+8SkfyZZ24tlovA
=AI+x
-----END PGP SIGNATURE-----