HEWLETT Packard Enterprise (HPE) has issued patches for a critical vulnerability (CVE-2026-23813) in its Aruba Networking AOS-CX that allows attackers to reset administrator passwords remotely without authentication. This vulnerability affects several switch series including CX 4100i, 6000, 6100, and others, with a CVSS score of 9.8. Successful exploitation could disrupt network communications and integrity of business services.
HPE recommends mitigating risks by implementing access controls, disabling HTTP(S) interfaces, and ensuring logging of management activities. Updates also address three high-severity vulnerabilities (CVE-2026-23814, CVE-2026-23815, CVE-2026-23816) and a medium-severity issue allowing URL redirection. HPE has rolled out software versions to fix these issues and advises users to apply them promptly, as no active exploits have been reported.