What is CVE-2026-23813 / CVE-2026-23814?
CVE-2026-23813 and CVE-2026-23814 are critical vulnerabilities affecting HPE Aruba Networking AOS-CX, the network operating system used by Aruba CX-series campus and data center switches. These vulnerabilities impact the management plane of the platform and can enable attackers to bypass authentication controls or inject commands into the system under certain conditions.
CVE-2026-23813 is the most severe issue in the disclosure set. It is an authentication bypass vulnerability in the web-based management interface of AOS-CX that allows a remote attacker to circumvent existing authentication controls. Successful exploitation can allow an unauthenticated actor to reset the administrator password of the device, potentially enabling full administrative control of the switch. The vulnerability is remotely exploitable with low attack complexity and requires no authentication or user interaction.
CVE-2026-23814 is a high-severity command injection vulnerability affecting a specific command parameter in the AOS-CX command-line interface (CLI). In this case, a remote attacker with low-privilege authenticated access can inject crafted command parameters that result in execution of unintended commands within the device environment. Improper validation of CLI parameters is the root cause of the issue.
While CVE-2026-23814 requires authenticated access, it becomes significantly more concerning when considered alongside CVE-2026-23813. An attacker who first abuses the authentication bypass to gain administrative control of the switch could potentially leverage command injection vulnerabilities to execute further commands or manipulate system behavior. Together, these flaws represent a realistic attack chain that targets the management plane of critical networking infrastructure.
What assets are affected by CVE-2026-23813 / CVE-2026-23814?
The vulnerabilities affect HPE Aruba Networking AOS-CX software used across Aruba CX-series switches deployed in enterprise campus networks and data center environments. AOS-CX is a Linux-based network operating system that supports automation, REST APIs, and web-based management capabilities used for device administration and configuration.
According to the vendor advisory, the following AOS-CX software branches are affected:
- AOS-CX 10.17.xxxx versions 10.17.0001 and earlier
- AOS-CX 10.16.xxxx versions 10.16.1020 and earlier
- AOS-CX 10.13.xxxx versions 10.13.1160 and earlier
- AOS-CX 10.10.xxxx versions 10.10.1170 and earlier
These versions are commonly deployed across Aruba CX switch models used for campus aggregation, access switching, and data center networking. The risk is particularly relevant for devices where the web-based management interface or remote CLI access is reachable from external networks, partner networks, or unmanaged internal segments.
Because the vulnerabilities target the device management interfaces rather than a specific hardware platform, any Aruba CX switch running the affected AOS-CX versions may be vulnerable if the management plane is reachable by an attacker.
External exposure considerations
Externally exposed network infrastructure management interfaces remain a recurring pattern across large enterprise attack surfaces. While most organizations intend for switch management interfaces to be restricted to internal administration networks, exposure frequently occurs through misconfigured firewall policies, remote administration portals, inherited infrastructure from acquisitions, or internet-reachable management gateways.
In the context of AOS-CX, the attack surface primarily emerges from HTTP or HTTPS management interfaces and remote administrative access paths used by operations teams. These interfaces are sometimes reachable through VPN portals, jump hosts, or temporary network exceptions created for operational access. Over time, these pathways can become persistent exposures if they are not continuously monitored.
Additionally, unmanaged or forgotten network devices can remain accessible through legacy management endpoints even after segmentation policies are introduced. Because switches often function as long-lived infrastructure components, older firmware versions may remain deployed in production networks long after patches become available.
From an attacker perspective, externally reachable network device management interfaces represent a high-value target. Compromise of a switching platform can enable persistent access to network infrastructure, manipulation of traffic flows, interception of sensitive data, or lateral movement deeper into enterprise environments. The presence of a pre-authentication authentication bypass vulnerability significantly lowers the barrier to initial access if these interfaces are exposed.
Are fixes available?
HPE has released software updates that address the vulnerabilities across affected AOS-CX branches. Organizations are advised to upgrade to the following versions or later:
- AOS-CX 10.17.1001 or later
- AOS-CX 10.16.1030 or later
- AOS-CX 10.13.1161 or later
- AOS-CX 10.10.1180 or later
At the time of disclosure, the vendor stated that it was not aware of any public exploitation or proof-of-concept code targeting these vulnerabilities.
Systems running software branches that have reached end-of-maintenance may remain vulnerable if updates are not available for those versions.
Are there any other recommended actions to take?
Organizations should restrict access to all network device management interfaces to dedicated management networks, enforce strict ACLs limiting which hosts can reach management endpoints, disable unnecessary HTTP or HTTPS management services, and ensure logging and monitoring are enabled for administrative access attempts.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-23813 inside the CyCognito platform on February 2, 2026, and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
