HPE warns of dangerous security flaw which could allow Aruba OS password resets

1. Pro
2. Security

HPE warns of dangerous security flaw which could allow Aruba OS password resets News By Sead Fadilpašić published 11 March 2026

HPE says it recently fixed five major flaws

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Thapana Onphalai via Getty Images)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• HPE patches five vulnerabilities in Aruba AOS-CX
• Critical flaw (CVE-2026-23813) allowed admin password reset
• Company urges mitigations until fixes are applied

Hewlett Packard Enterprise (HPE) has warned its customers after discovering five vulnerabilities in its products, including one which cybercriminals could use to take over certain endpoints.

In a newly released security advisory, HPE said it addressed a critical authentication bypass flaw that can be used by unauthenticated attackers in low-complexity attacks, to reset admin passwords. The bug is now tracked as CVE-2026-23813, and has a severity score of 9.1/10 (critical).

It affects the Aruba Networking AOS-CX operating system, a cloud-native network OS built for HPE’s CX-series campus and data center switch hardware.

Article continues below You may like

• HPE tells customers to patch OneView immediately as top-level security flaw spotted
• New botnet reportedly targets HPE OneView, so be on your guard
• Trend Micro warns of worrying security flaw allowing full Windows takeover, so patch now

Patches and workarounds

"A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls,” HPE said in the advisory. “In some cases this could enable resetting the admin password."

The other four vulnerabilities are now tracked as CVE-2026-23814, CVE-2026-23815, CVE-2026-23816, and CVE-2026-23817, apparently affecting AOS-CX 10.17.xxxx: 10.17.0001 and below, AOS-CX 10.16.xxxx: 10.16.1020 and below, AOS-CX 10.13.xxxx: 10.13.1160 and below, and AOS-CX 10.10.xxxx: 10.10.1170 and below.

The good news is that there are no reports of abuse in the wild just yet.

If you can’t apply the fix immediately, HPE also shared a list of possible mitigations:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Restrict access to all management interfaces to a dedicated Layer 2 segment or VLAN to isolate management traffic from general network traffic,

Implement strict policies at Layer 3 and above to control access to management interfaces, permitting only authorized and trusted hosts,

Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports wherever management access is not required,

What to read next

• Zyxel warns over a dozen routers could be affected by critical RCE security flaw
• Cisco warns of critical SD-WAN security flaw which has been open since 2023
• Palo Alto patches a worrying security issue which could crash your firewall without even logging in

Enforce Control Plane Access Control Lists (ACLs) to protect any REST/HTTP-enabled management interfaces, ensuring only trusted clients are allowed to connect to the HTTPS/REST endpoints,

Enable comprehensive accounting, logging, and monitoring of all management interface activities to detect and respond to unauthorized access attempts promptly.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more HPE tells customers to patch OneView immediately as top-level security flaw spotted    New botnet reportedly targets HPE OneView, so be on your guard    Trend Micro warns of worrying security flaw allowing full Windows takeover, so patch now    Zyxel warns over a dozen routers could be affected by critical RCE security flaw    Cisco warns of critical SD-WAN security flaw which has been open since 2023    Palo Alto patches a worrying security issue which could crash your firewall without even logging in    Latest in Security Hackers hijack WordPress sites to spread malware using fake CAPTCHA    This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data    Asus routers hijacked to power dangerous cybercrime proxy network - here's what we know    Russian hackers target HR departments with vicious new 'BlackSanta' malware    ‘These actions are unprecedented and unlawful’: Anthropic sues Pentagon over “supply chain risk” designation — claims free speech and due process violations    Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know    Latest in News Quordle hints and answers for Thursday, March 12 (game #1508)    NYT Strands hints and answers for Thursday, March 12 (game #739)    NYT Connections hints and answers for Thursday, March 12 (game #1005)    Intel's new Core Ultra 200S Plus CPUs promise a big boost for PC gamers    How to watch Sunny Nights on TVNZ+ (it's *FREE*)    Why does the MacBook Air M5 keyboard look different? Blame your iPhone    LATEST ARTICLES

1. 1Meta’s Moltbook deal means social media will fill with even more bots talking to each other
2. 2Nintendo Virtual Boy review: don’t buy this awful Nintendo Switch 2 add-on
3. 3OpenAI reportedly building a GitHub alternative after saying Microsoft-owned platform is 'not yet meeting our expectations'
4. 4Burson's Stellar headphone amps promise head-fi heaven in spacecraft-inspired Star Wars style
5. 5'Creating a fully keyboard-accessible site...isn’t free; it requires a lot of work and knowledge': Microsoft is making it easier to build complex websites without a mouse