CVE-2026-23821: AOS-10 Access Points RCE Vulnerability

CVE-2026-23821 Overview

CVE-2026-23821 is an authenticated command injection vulnerability in the configuration processing logic of Hewlett Packard Enterprise (HPE) Aruba Networking Access Points running AOS-10. An attacker with high privileges and network access can execute arbitrary operating system commands on affected devices when specific pre-existing conditions are met. The flaw is classified under [CWE-78] (Improper Neutralization of Special Elements used in an OS Command). Access Points running AOS-8 Instant software are not affected. Successful exploitation grants execution on the underlying operating system, enabling persistence and lateral movement from compromised wireless infrastructure.

Critical Impact

Authenticated attackers can execute arbitrary system commands on AOS-10 Access Points, gaining full control of the underlying operating system and a foothold inside the wireless network fabric.

Affected Products

• HPE Aruba Networking Access Points running AOS-10
• AOS-10 configuration processing component
• AOS-8 Instant software is explicitly not affected

Discovery Timeline

• 2026-05-12 - CVE-2026-23821 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-23821

Vulnerability Analysis

The vulnerability resides in how AOS-10 processes configuration input on Access Points. Configuration values reach an operating system command context without sufficient neutralization of shell metacharacters. An authenticated attacker who can submit or influence configuration data can inject commands that the device executes with the privileges of the configuration handler. Exploitation requires network reachability to the management surface and high-privilege credentials, narrowing the population of viable attackers but increasing impact when those conditions are met. The EPSS score is 0.123%, reflecting limited current exploitation signal. The advisory notes that exploitation depends on pre-existing conditions, indicating chained prerequisites in addition to authentication.

Root Cause

The root cause is improper neutralization of special elements in configuration values that flow into an OS command. The AOS-10 configuration parser passes attacker-controllable strings into a shell or command interpreter without sanitization, allowing metacharacters such as ;, |, &, and backticks to break out of the intended argument context. This is a classic [CWE-78] OS command injection pattern in embedded network operating systems.

Attack Vector

The attack vector is network-based and requires authenticated access with high privileges to the AOS-10 management interface. The attacker submits a crafted configuration payload containing shell metacharacters into a vulnerable configuration field. When the Access Point processes the configuration, the injected commands execute on the underlying Linux-based operating system. No user interaction is required. Because the impact extends across confidentiality, integrity, and availability, a successful exploit can be used to disable wireless services, exfiltrate management traffic, or pivot to adjacent network segments.

No public proof-of-concept code is currently available. Refer to the HPE Security Bulletin for vendor-specific technical details.

Detection Methods for CVE-2026-23821

Indicators of Compromise

• Unexpected child processes spawned by AOS-10 configuration or management daemons on Access Points
• Outbound connections from Access Point management interfaces to unfamiliar hosts
• Configuration change events containing shell metacharacters such as ;, |, &&, or backticks in value fields
• Unscheduled administrator authentications followed by configuration push operations

Detection Strategies

• Audit AOS-10 configuration change logs for values containing command separators or shell control characters
• Correlate privileged administrator logins with subsequent configuration writes that target uncommon parameters
• Monitor syslog from Access Points for process execution anomalies and unexpected binary invocations
• Compare running configurations against known-good baselines to surface unauthorized modifications

Monitoring Recommendations

• Forward AOS-10 syslog and AAA authentication events to a centralized SIEM for retention and correlation
• Alert on any administrative session originating from outside designated management subnets
• Track failed and successful privileged logins on Aruba Central and on-premises management planes
• Apply network telemetry monitoring to detect lateral movement initiated from Access Point IP ranges

How to Mitigate CVE-2026-23821

Immediate Actions Required

• Apply the fixed AOS-10 firmware version listed in the HPE Security Bulletin on all affected Access Points
• Restrict management plane access to dedicated administrative VLANs and trusted jump hosts
• Rotate all administrator credentials with high-privilege roles on AOS-10 controllers and Aruba Central tenants
• Review audit logs for unauthorized configuration changes since the published date

Patch Information

HPE has published remediation guidance in security bulletin hpesbnw05049en_us. Administrators should consult the HPE Security Bulletin for the list of fixed AOS-10 builds and upgrade procedures. AOS-8 Instant deployments do not require patching for this issue.

Workarounds

• Limit access to the AOS-10 management interface to a small set of trusted management hosts using ACLs
• Enforce multi-factor authentication and role separation so that few accounts hold the high privileges required for exploitation
• Disable unused management protocols and remote configuration endpoints where operationally feasible
• Segment Access Point management networks from general user and server VLANs to contain post-exploitation movement

# Example: restrict AOS-10 management access to a trusted subnet
ip access-list session mgmt-restrict
  user any svc-https permit
  user any svc-ssh permit
!
interface mgmt
  ip access-group in mgmt-restrict
  permit-source 10.10.10.0/24
  deny any