CVE-2024-47460: Critical HPE AOS-CX Password Reset Bypass - Patch Now

HPE Aruba Networking has issued an urgent security advisory regarding a critical vulnerability in its AOS-CX network operating system. The CVE identifies a significant flaw that allows an unauthenticated, remote attacker to bypass authentication controls and reset the administrative password on targeted switches. Given the central role these devices play in enterprise network infrastructure, this vulnerability represents a high-risk entry point for malicious actors.

Overview of CVE-2024-47460

The vulnerability, tracked as CVE-2024-47460, has been assigned a CVSS base score of 9.1, according to SecurityWeek. This rating reflects the low complexity required for exploitation and the lack of authentication necessary to execute the attack. The flaw resides specifically within the web-based management interface of the AOS-CX software. By sending specially crafted requests to the management portal, an attacker can overwrite the existing credentials for the local administrator account, effectively seizing control of the management plane.

Technical Analysis: HPE AOS-CX Authentication Bypass

The root of the issue is an improper implementation of session or request validation within the web UI. Attackers targeting HPE Aruba Networking AOS-CX security updates will find that earlier versions of the firmware fail to properly sanitize or verify the state of password reset requests. Because the administrative account is the highest-level identity on the device, gaining access through this vector permits a complete compromise of the switch configuration.

Once administrative access is obtained, an attacker can modify Virtual LAN (VLAN) assignments, intercept traffic, or disable security features. This facilitates Lateral Movement within the internal network, as the switch often serves as a gateway or distribution point for sensitive data. Furthermore, an attacker could implement persistent backdoors by creating new user accounts or modifying existing scripts, making detection by traditional EDR solutions difficult since the activity originates from a trusted infrastructure component.

How to Detect CVE-2024-47460 Exploit Attempts

Security SOC teams should immediately review their management plane logs for anomalies. High-fidelity IoC signatures include unexpected password reset events in the system logs, particularly those originating from external or unauthorized IP addresses. Integrating network device logs into a SIEM is essential for identifying these patterns. Specifically, analysts should look for repeated failed login attempts followed by a successful login from a new or unfamiliar source, which may indicate that a reset has already occurred. Implementing Zero Trust access controls for the management interface—limiting access to specific jump hosts or internal management subnets—can significantly reduce the attack surface.

Mitigation and AOS-CX 10.14 Patch Guidance

The primary remediation for this threat is the application of official firmware updates. HPE has released patches across multiple release branches. Administrators should refer to the following AOS-CX 10.14 patch guidance and version-specific updates to ensure their environment is protected:

• AOS-CX 10.10.xxxx: Update to 10.10.1090 or later
• AOS-CX 10.11.xxxx: Update to 10.11.0030 or later
• AOS-CX 10.12.xxxx: Update to 10.12.1040 or later
• AOS-CX 10.13.xxxx: Update to 10.13.1021 or later
• AOS-CX 10.14.xxxx: Update to 10.14.0010 or later

If immediate patching is not feasible, defenders should disable the web-based management interface and rely exclusively on SSH for administrative tasks, ensuring that SSH access is protected by strong Phishing-resistant multi-factor authentication. Restricting the management interface to a dedicated out-of-band management network is a recommended best practice to mitigate the risk of unauthenticated Privilege Escalation via the web UI.