Exposure spans campus to data center switching: The vulnerabilities affect AOS-CX software across four active version branches, spanning entry-level campus switches to data center-class hardware. Versions that reached the end of support before the advisory’s publication are also expected to be vulnerable, the advisory said. Organizations running AOS-CX 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, or 10.10.1170 and below are affected, the advisory added.The disclosure follows a series of recent HPE security advisories. In December 2025, HPE patched a maximum-severity remote code execution (RCE) flaw in its OneView infrastructure management software that affected all versions from 5.20 through 10.20. Weeks later, CISA added that flaw to its Known Exploited Vulnerabilities catalog, setting a January 28 deadline for federal civilian agencies to patch.
What to do before patching: The advisory recommended isolating switch management interfaces to a dedicated Layer 2 segment or VLAN, enforcing firewall policies at Layer 3 and above to limit access to authorized hosts, and disabling HTTP and HTTPS interfaces on Switched Virtual Interfaces and routed ports where management access is not needed.Enforcing Control Plane Access Control Lists on REST and HTTPS endpoints and enabling comprehensive logging of management interface activity were also recommended, the advisory said. “HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone,” the advisory noted.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4143607/critical-flaw-in-hpe-aruba-cx-switches-lets-attackers-seize-admin-control-without-credentials.html
