HPE patches critical AOS-CX authentication flaw that could reset admin passwords
Hewlett Packard Enterprise has issued patches for Aruba's AOS-CX network operating system, addressing multiple vulnerabilities including a critical authentication bypass (CVE-2026-23813) that could allow an unauthenticated attacker to reset the admin password via the web-based management interface. Mitigations include restricting management access to a secure L2 segment, applying strict Layer-3 ACLs, disabling HTTP(S) on SVIs and routed ports, and enabling comprehensive logging and management ACLs. HPE says no public exploit was observed at the advisory time. The report also notes prior related disclosures and aligns with ongoing industry warnings from CISA on HP/E vulnerability exposure.