HEWLETT Packard Enterprise has patched multiple flaws in Aruba AOS-CX, the operating system used by Aruba CX switches, with the most severe issue tracked as CVE-2026-23813 (CVSS 9.8) allowing unprivileged attackers to bypass authentication and reset administrator passwords via a low-complexity attack.
According to HPE Aruba Networking advisory, a vulnerability in the web-based management interface could enable an unauthenticated remote actor to circumvent authentication controls and, in some cases, reset the admin password. The researcher moonv reported the vulnerability through Aruba Networking’s Bug Bounty programme.
In addition to CVE-2026-23813, HPE addressed CVE-2026-23814 (CVSS 8.8), CVE-2026-23815 (7.2), CVE-2026-23816 (7.2) and CVE-2026-23817 (6.5), all involving authenticated or unauthenticated command injection or open redirect vulnerabilities, though there is no evidence of exploitation in the wild as of the advisory date.
The article also notes a July 2025 disclosure of hardcoded credentials in Aruba Instant On Wi-Fi devices, tracked as CVE-2025-37103 (CVSS 9.8), which could allow bypassing login and gaining administrative access.