HPE Aruba Networking has issued a critical security alert for its Private 5G Core platform, rushing to patch a cluster of vulnerabilities that could allow attackers to bypass authentication and seize control of the network infrastructure. Discovered by the Communications Security Establishment (CSE), the flaws affect versions 1.24.3[.]0 through 1.24.3[.]3, with the most severe allowing an unauthenticated stranger to simply create their own admin account.
The most alarming flaw, tracked as CVE-2026-23595 (CVSS 8.8), is an authentication bypass in the application API that could let a remote attacker mint a new privileged user. Alongside this, other issues include a service sabotage vulnerability (CVE-2026-23596) enabling unauthenticated triggers of restarts via the management API, and information leaks (CVE-2026-23597 and CVE-2026-23598) exposing details on user accounts, roles and internal configurations.
HPE Aruba has released version 1.25.1[.]0 to address these issues, and administrators running 1.24.3.x are urged to upgrade immediately to prevent unauthorized access and potential disruption.