Description
A vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL.
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an unauthenticated web‑based open redirect that allows a remote attacker to cause users of the AOS‑CX Switch web interface to be redirected to an arbitrary URL. This type of weakness (CWE‑601) can be abused for phishing or malicious script delivery, compromising user confidence and potentially leading to credential compromise if users click on a fake login page. The security impact is primarily the loss of integrity and trust of the web interface, without immediate denial of service or data exfiltration.

Affected Systems

Affected systems are Hewlett Packard Enterprise AOS‑CX Switches. No specific product version information is provided in the CNA data, so owners should verify which firmware or software build is running.

Risk and Exploitability

The CVSS v3 score of 6.5 indicates moderate severity. The EPSS score is less than 1%, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need unauthenticated access to the web interface, so the attack vector is remote over the network; however, the lack of higher severity or widespread exploitation data indicates that while the vulnerability is real, the likelihood of immediate impact is lower compared to higher‑score issues.

Generated by OpenCVE AI on March 17, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the HPE Support Portal for an AOS‑CX patch or firmware update that addresses the open‑redirect issue
  • Apply the latest vendor patch or release as soon as it is available
  • If a patch is not yet available, consider restricting access to the web interface by firewall rules or disabling the UI for untrusted users
  • Monitor web‑interface logs for suspicious redirect activities and review user reports of unexpected URLs
  • Keep general security hygiene by ensuring other known vulnerabilities are also patched

Generated by OpenCVE AI on March 17, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos-cx
Vendors & Products Hpe
Hpe arubaos-cx

Wed, 11 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL.
Title Unauthenticated Open Redirect allows URL Manipulation in Web Interface
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Hpe Arubaos-cx
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-03-11T15:45:06.318Z

Reserved: 2026-01-16T15:22:38.202Z

Link: CVE-2026-23817

cve-icon Vulnrichment

Updated: 2026-03-11T15:45:01.757Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T04:17:35.810

Modified: 2026-03-11T16:16:26.767

Link: CVE-2026-23817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:59Z

Weaknesses