CVE-2026-23819
Hewlett Packard Enterprise (HPE) · ArubaOS (AOS)
A cross-site scripting (XSS) vulnerability in the web-based management interface of HPE ArubaOS Access Points allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser.
Executive summary
A critical vulnerability in the web-based management interface of HPE ArubaOS Access Points could allow unauthenticated attackers to execute malicious scripts in a user's browser session.
Vulnerability
This vulnerability exists within the web management interface and allows an unauthenticated remote attacker to execute JavaScript code. The attack requires user interaction (UI:R) and occurs within the local network (AV:A), potentially leading to session hijacking or unauthorized administrative actions.
Business impact
With a CVSS score of 8.8, this vulnerability presents a substantial risk to network infrastructure. If exploited, an attacker could compromise the administrative session of an IT professional, potentially leading to unauthorized configuration changes or further lateral movement within the network. The ability to execute arbitrary code within a browser session poses a severe threat to the integrity of network management operations.
Remediation
Immediate Action: Apply the relevant security updates provided by HPE for the affected ArubaOS versions immediately.
Proactive Monitoring: Monitor management interface access logs for suspicious input strings or unusual administrative activity originating from non-authorized internal segments.
Compensating Controls: Restrict access to the web-based management interface to specific, trusted management IP addresses to reduce the attack surface.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk of unauthorized administrative control via browser-based script execution makes this a high-priority update. Network administrators should verify their current version against the affected list and deploy the manufacturer-supplied patches as soon as they are available.