CVE-2026-23813: Critical HPE Aruba AOS-CX Flaw Grants Unauthenticated Admin Access — What Saudi Banks Must Do Now

HPE disclosed CVE-2026-23813 last month — a CVSS 9.8 authentication bypass in the web management interface of its Aruba AOS-CX switching platform. An unauthenticated remote attacker can send a crafted HTTP request to the password-reset endpoint and gain full administrative control over the switch, no credentials required. For Saudi financial institutions whose branch and data-center networks are built on this platform, this is a high-priority remediation item.

What Is CVE-2026-23813 and Why Does It Score 9.8?

The vulnerability lives in the web-based management interface of AOS-CX switches. The root cause is insufficient validation of requests to the password-reset functionality: the interface fails to verify that the requestor holds a valid authenticated session before executing the reset. An attacker on the same management network — or on any network with reachability to the switch's HTTPS/REST management port — can craft a single HTTP request that triggers a full admin credential reset, then log in with their chosen password and assume complete control of the device. The attack requires no prior knowledge of the existing administrator credentials and leaves no obvious alert in default logging configurations unless management-plane accounting has been explicitly enabled. CVSS 3.1 rates the vector as Network, Complexity Low, Privileges None, User Interaction None — hence the near-perfect score.

Affected HPE Aruba AOS-CX Models

HPE's advisory lists the following product families as affected: CX 4100i, CX 6000, CX 6100, CX 6200, CX 6300, CX 6400, CX 8320, CX 8325, CX 8360, CX 9300, and CX 10000 series switches. These are widely deployed as access, distribution, and core layer switches in enterprise and financial-sector environments across Saudi Arabia and the wider GCC. Any device running AOS-CX prior to version 10.17.1001, 10.16.1030, 10.13.1161, or 10.10.1180 is vulnerable. HPE has patched the flaw in those four releases; organisations should identify which code branch they are running and apply the corresponding update. As of early April 2026, HPE has not observed evidence of active exploitation in the wild, but the simplicity of the attack vector means that proof-of-concept code is likely to emerge quickly once the advisory gains wider circulation.

Implications for Saudi Financial Institutions Under SAMA CSCC and NCA ECC

SAMA's Cyber Security Framework (CSCC v2) dedicates an entire domain — Domain 4: Cyber Security Operations — to network security controls, requiring member organisations to maintain a current asset inventory, enforce access control on management interfaces, and apply patches within defined SLA windows based on criticality. A CVSS 9.8 vulnerability falls into the "Critical" tier, which SAMA guidance ties to the most aggressive patching timelines — typically 72 hours for internet-facing systems and no more than 30 days for internal infrastructure. NCA's Essential Cybersecurity Controls (ECC-2: 2.3 Network Security) similarly require that network devices be hardened against unauthorised management access and that out-of-band management be the norm for critical infrastructure components. An unpatched AOS-CX switch managing a bank's core switching fabric would represent a direct gap against both frameworks. Beyond regulatory exposure, a compromised core switch enables an attacker to manipulate VLANs, intercept traffic between payment processing systems, redirect SWIFT gateway communications, and disable link-aggregation groups — effectively taking down branch connectivity or isolating the data center from the internet.

Practical Remediation Steps

1. Inventory immediately. Query your network management system or run show version across all AOS-CX devices to identify software versions. Export results to your CMDB and flag any device below the patched versions listed above.
2. Patch in order of criticality. Prioritise core and distribution switches with management interfaces reachable from any shared segment. Branch access switches are lower risk but must still be patched within your SAMA-defined SLA for Critical vulnerabilities.
3. Apply immediate mitigations on unpatched devices. Disable the HTTP/HTTPS interface on all Switched Virtual Interfaces (SVIs) and routed ports using no ip http server and no ip https server where supported. Enforce ACLs to allow management-plane HTTPS/REST access only from your dedicated out-of-band management network and jump-host IP ranges. Deny all other sources at the ACL level, not just at the firewall.
4. Enable management-plane accounting. Activate TACACS+ or RADIUS accounting on all affected switches so that any authentication event — including password changes — is logged to a central SIEM. This provides the detection capability needed to identify exploitation attempts even before patching is complete.
5. Review recent admin password-change logs. If any AOS-CX switch has had its admin password changed unexpectedly in the past 30 days, treat it as a potential indicator of compromise and initiate your incident response process. Capture a running configuration backup and compare against your last known-good baseline.
6. Notify your CISO and complete a SAMA-required vulnerability disclosure record. Document the vulnerability identification date, affected assets, remediation actions, and closure date in your GRC platform to satisfy SAMA CSCC audit evidence requirements.

Broader Lesson: Management-Plane Security Is Still Under-Invested

CVE-2026-23813 is the latest in a pattern of critical vulnerabilities targeting network device management interfaces — a category that includes last year's Cisco IMC CVE-2026-20093 (CVSS 9.8) and the Citrix NetScaler session-leak chain. In each case, the common thread is that management interfaces are either exposed to broader network segments than necessary or are not monitored with the same rigour applied to perimeter systems. For Saudi financial institutions, the SAMA CSCC and NCA ECC frameworks provide a clear mandate: management access to network infrastructure should flow exclusively over a dedicated out-of-band network, authenticated via privileged access management (PAM) solutions with session recording, and every privileged action should generate a log event shipped to the SOC in real time. Organisations that have implemented this architecture reduce the blast radius of vulnerabilities like CVE-2026-23813 from "full network takeover" to "patching required within SLA" — a manageable operational event rather than a crisis.

Conclusion

CVE-2026-23813 in HPE Aruba AOS-CX is a straightforward but high-impact flaw: no authentication, no complexity, full admin control. Saudi banks and financial institutions using this switching platform must treat it as a critical finding, apply available patches or compensating controls within SAMA CSCC timelines, and use this as an opportunity to audit management-plane security architecture across the entire network estate. Waiting for evidence of active exploitation is not a sound risk posture when the attack is this simple to execute.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a network device vulnerability and hardening review aligned to SAMA CSCC Domain 4 and NCA ECC 2.3.