Changeflow GovPing Vulnerability Alerts HPE Patches Critical Aruba Networking AOS-CX Vu...
Urgent Notice Amended Final

HPE Patches Critical Aruba Networking AOS-CX Vulnerabilities

Favicon for www.csa.gov.sg CSA Alerts & Advisories (Singapore)
Published March 12th, 2026
Detected March 13th, 2026
Email

Summary

Hewlett Packard Enterprise (HPE) has released patches for critical vulnerabilities in its Aruba Networking AOS-CX operating system. The most severe flaw (CVE-2026-23813) allows unauthenticated remote attackers to reset administrator passwords. Users are urged to update immediately.

View original document View source feed page

What changed

Hewlett Packard Enterprise (HPE) has issued patches for multiple critical security vulnerabilities affecting its Aruba Networking AOS-CX operating system, used in CX-series campus and data center switches. The most severe vulnerability, CVE-2026-23813 (CVSS 9.8), allows unauthenticated remote attackers to bypass authentication and reset administrator passwords. Other vulnerabilities include command injection and arbitrary URL redirection.

Users and administrators of affected AOS-CX versions (10.17.xxxx, 10.16.xxxx, 10.13.xxxx, 10.10.xxxx below specified patch levels) are strongly advised to update to the latest versions immediately. If immediate patching is not feasible, interim mitigation strategies include restricting management interface access, isolating management traffic, disabling unnecessary HTTP(S) interfaces, enforcing ACL protections, and enabling robust logging and monitoring.

What to do next

  1. Update Aruba Networking AOS-CX to the latest patched versions immediately.
  2. If immediate patching is not possible, implement interim mitigation strategies including restricting management interface access, isolating management traffic, and disabling unnecessary HTTP(S) interfaces.

Source document (simplified)

Alerts

Critical Vulnerabilities in Aruba Networking AOS-CX

12 March 2026

Hewlett Packard Enterprise (HPE) has released software patches to address multiple security vulnerabilities in the Aruba Networking AOS-CX operating system. Users and administrators of affected product versions are advised to update to the latest versions immediately.

Background

HPE has released software patches to address multiple security vulnerabilities in the Aruba Networking AOS-CX operating system. The AOS-CX is used on Aruba's CX-series campus and data centre switch devices. The most severe vulnerability (CVE-2026-23813) has been assigned a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.

Impact

Successful exploitation of these vulnerabilities could allow:

  • CVE-2026-23813 (CVSSv3.1: 9.8): An unauthenticated remote attacker to bypass existing authentication controls and reset the administrator password.

  • CVE-2026-23814: A low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behaviour.

  • CVE-2026-23815: A high-privilege authenticated remote attacker to perform command injection and execute unauthorised commands.

  • CVE-2026-23816: An authenticated remote attacker to execute arbitrary commands on the underlying operating system.

  • CVE-2026-23817: An unathenticated remote attacker to redirect users to an arbitrary URL.
    Affected Products

The vulnerabilities affect HPE Aruba Networking AOS-CX Software Version(s):

  • AOS-CX 10.17.xxxx: 10.17.0001 and below

  • AOS-CX 10.16.xxxx: 10.16.1020 and below

  • AOS-CX 10.13.xxxx: 10.13.1160 and below

  • AOS-CX 10.10.xxxx: 10.10.1170 and below
    Recommendations

Users and administrators of affected product versions are advised to update to the latest versions immediately.

If immediate patching is not possible, administrators should:

  • Restrict management interface access to trusted hosts

  • Isolate management traffic

  • Disable unnecessary HTTP(S) interfaces

  • Enforce ACL protections for REST/HTTPS endpoints

  • Enable logging and monitoring to detect unauthorised access
    References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05027enus&docLocale=enUS

https://nvd.nist.gov/vuln/detail/CVE-2026-23813

https://nvd.nist.gov/vuln/detail/CVE-2026-23814

https://nvd.nist.gov/vuln/detail/CVE-2026-23815

https://nvd.nist.gov/vuln/detail/CVE-2026-23816

https://nvd.nist.gov/vuln/detail/CVE-2026-23817

https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/

Back to top

Related changes

Favicon for www.gov.uk Humanitarian Assistance Exception Notification for Petroleum Products
Priority review Mar 13, 2026 OFSI All Publications Trade & Export
Favicon for www.apra.gov.au APRA Releases Quarterly ADI Statistics for December 2025
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.apra.gov.au APRA Statement on Gender Pay Gap
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.cisa.gov CISA Adds Two Exploited Vulnerabilities to KEV Catalog
Priority review Mar 13, 2026 CISA ICS-CERT Advisories Government
Favicon for www.cisa.gov CISA: Ignition Software Vulnerable to Code Execution
Priority review Mar 13, 2026 CISA ICS-CERT Advisories Government
Favicon for www.gao.gov GAO Report on DOD Cybersecurity Maturity Model Certification Program
Priority review Mar 13, 2026 GAO Reports & Testimonies Government Accountability

Source

Favicon for www.csa.gov.sg
CSA Alerts & Advisories (Singapore) csa.gov.sg/alerts-advisories
Vulnerability Alerts
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Published
March 12th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
INT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Product Security Network Infrastructure

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Vulnerability Alerts alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CSA Alerts & Advisories (Singapore) publishes new changes.

Free. Unsubscribe anytime.