Share
## https://sploitus.com/exploit?id=5138E609-7524-5859-A85E-CCDAA5FA5027
# CVE-2026-23813 โ€” AOS-CX Pre-Auth Authentication Bypass

> Unauthenticated remote attackers can reach the AOS-CX management REST API
> by smuggling a `login` token through nginx's over-permissive version regex,
> exposing the OVSDB-backed configuration surface (including the hashed
> admin credential).

- **CVE:** [CVE-2026-23813](https://nvd.nist.gov/vuln/detail/CVE-2026-23813)
- **CWE-287** ยท **CVSS 9.8 (Critical)**
- **Vendor:** HPE Aruba Networking ยท **Product:** AOS-CX
- **Write-up:** [offseckit.com/blog/cve-2026-23813](https://offseckit.com/blog/cve-2026-23813)

## Affected versions

| Branch  | Vulnerable    | Fixed       |
|---------|---------------|-------------|
| 10.17.x | โ‰ค 10.17.0001  | 10.17.1001  |
| 10.16.x | โ‰ค 10.16.1020  | 10.16.1030  |
| 10.13.x | โ‰ค 10.13.1160  | 10.13.1161  |
| 10.10.x | โ‰ค 10.10.1170  | 10.10.1180  |

## Quick start

### Check if a device is patched (defenders)

```bash
python3 detect.py 
```

Sends one read-only GET. Prints `PATCHED`, `VULNERABLE`, or `UNKNOWN`.
Makes no changes. Suitable for inventory sweeps.

### Understand the bypass (researchers)

```bash
python3 bypass_demo.py 
```

Sends the same endpoint twice โ€” once normally, once with the smuggle โ€”
and prints the response codes side-by-side. No state change. See
[`docs/root-cause.md`](docs/root-cause.md) for the *why*.

### Demonstrate impact (authorized testing only)

```bash
python3 exploit.py 
```

Creates a checkpoint via the unauthenticated path, reads the full
running config, prints the admin hash. The checkpoint persists on the
device โ€” the REST endpoints reachable via the bypass do not accept
`DELETE`; remove the checkpoint via console / authorized session if
needed.

## Files

| File                              | Purpose                                          |
|-----------------------------------|--------------------------------------------------|
| `detect.py`                       | Non-destructive patch-status check               |
| `bypass_demo.py`                  | Educational side-by-side of the bypass mechanic  |
| `exploit.py`                      | Config-disclosure PoC (creates a checkpoint)     |
| `detection/nginx-access.md`       | Log signatures for nginx access logs             |
| `detection/suricata.rules`        | Suricata rule for the smuggle URI shape          |
| `docs/root-cause.md`              | Short root-cause explainer                       |
| `docs/patch-diff.md`              | The fix, in one diff                             |

## Requirements

Python 3.8+ and `requests`:

```bash
pip install requests
```

## Authorized use only

This is security research. Only use against systems you own or have
explicit written permission to test. Unauthorized access to networking
equipment is illegal in most jurisdictions.

## Credits

Independent post-patch analysis and PoC by **4252nez** โ€” write-up on
[OffSecKit](https://offseckit.com/blog/cve-2026-23813).
Original vulnerability reported by moonv via the HPE Bugcrowd program;
this repository has no affiliation with that report.

## License

MIT โ€” see [LICENSE](LICENSE).