Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Aruba Networking AOS-CX

12 March 2026

Hewlett Packard Enterprise (HPE) has released software patches to address multiple security vulnerabilities in the Aruba Networking AOS-CX operating system. Users and administrators of affected product versions are advised to update to the latest versions immediately.

Background

HPE has released software patches to address multiple security vulnerabilities in the Aruba Networking AOS-CX operating system. The AOS-CX is used on Aruba's CX-series campus and data centre switch devices. The most severe vulnerability (CVE-2026-23813) has been assigned a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.

Impact

Successful exploitation of these vulnerabilities could allow:

  • CVE-2026-23813 (CVSSv3.1: 9.8): An unauthenticated remote attacker to bypass existing authentication controls and reset the administrator password.

  • CVE-2026-23814: A low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behaviour.

  • CVE-2026-23815: A high-privilege authenticated remote attacker to perform command injection and execute unauthorised commands.

  • CVE-2026-23816: An authenticated remote attacker to execute arbitrary commands on the underlying operating system. 

  • CVE-2026-23817: An unathenticated remote attacker to redirect users to an arbitrary URL.

Affected Products

The vulnerabilities affect HPE Aruba Networking AOS-CX Software Version(s):

  • AOS-CX 10.17.xxxx: 10.17.0001 and below

  • AOS-CX 10.16.xxxx: 10.16.1020 and below

  • AOS-CX 10.13.xxxx: 10.13.1160 and below

  • AOS-CX 10.10.xxxx: 10.10.1170 and below

Recommendations

Users and administrators of affected product versions are advised to update to the latest versions immediately. 

If immediate patching is not possible, administrators should:

  • Restrict management interface access to trusted hosts

  • Isolate management traffic

  • Disable unnecessary HTTP(S) interfaces

  • Enforce ACL protections for REST/HTTPS endpoints

  • Enable logging and monitoring to detect unauthorised access

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05027en_us&docLocale=en_US

https://nvd.nist.gov/vuln/detail/CVE-2026-23813

https://nvd.nist.gov/vuln/detail/CVE-2026-23814

https://nvd.nist.gov/vuln/detail/CVE-2026-23815

https://nvd.nist.gov/vuln/detail/CVE-2026-23816

https://nvd.nist.gov/vuln/detail/CVE-2026-23817

https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/

Back to top