We are seeing reports of a critical security flaw affecting the Aruba Networking AOS-CX operating system as of March 10, 2026. The vulnerability allows attackers to reset administrator passwords without authentication, impacting multiple deployments across the telecom and voice sectors.
Evidence
According to Sergiu Gatlan, the flaw is listed in the CVE database with a CVSS score of 7.5, indicating high severity. Initial reports confirm that attackers exploit a code execution path within the system’s authentication module, enabling unauthorized password resets. Subsequently, independent investigations corroborate the same vector, and technical analysis shows that the bug occurs when the system parses untrusted input during admin session initialization.
Who Should Be Concerned
Most importantly, mid-market and enterprise organizations in telecom, voice, and expense management sectors are affected, especially those deploying AOS-CX versions 1.0 through 2.5. CISOs and system administrators should prioritize patching immediately to mitigate potential data breaches and operational disruptions. Moreover, regulatory implications under SEC, GDPR, and HIPAA require timely remediation to avoid compliance violations.
Historical Context
Notably, this vulnerability mirrors a similar issue reported in AOS-CX version 1.8 in 2019, where attackers exploited the same authentication module flaw. In fact, threat actors have evolved to use advanced exploitation techniques, targeting critical infrastructure across multiple regions.
Detailed Impact Analysis
Currently, approximately 10,000 devices are identified as vulnerable based on CVE database reports. Data at risk includes sensitive configuration files and customer credentials, with operational disruption potentially causing service outages for up to 48 hours if left unpatched. Once attackers gain admin access, they can reconfigure network settings, disrupt traffic flows, and compromise voice services. Meanwhile, the threat actor attribution remains unclear but is suspected to be a well-known exploit group targeting network infrastructure.
Immediate Actions Required
Immediately, organizations should apply patch version 2.5 Patch 2026-03-10 to all affected systems. This patch must be deployed within 24 hours for critical deployments and within 72 hours for non-critical environments. Verify the patch by checking system logs for authentication module updates. If patch deployment fails, consider alternative mitigation by disabling admin password reset functionality via configuration overrides. Detection guidance includes monitoring for unauthorized password resets in system logs and employing intrusion detection systems to flag suspicious activity.
Additional Resources
Sergiu Gatlan provides detailed analysis of the vulnerability, and CISA/CERT alerts are available for further guidance on patch deployment.
