HPE Aruba Networking has issued a critical security advisory addressing multiple vulnerabilities in its Private 5G Core Platform that could allow attackers to create unauthorized administrative accounts, disrupt services, and access sensitive system information.
The flaws, tracked as CVE-2026-23595, CVE-2026-23596, CVE-2026-23597, and CVE-2026-23598, were discovered by the Communications Security Establishment (CSE) and affect versions 1.24.3.0 through 1.24.3.3 of the platform.
Critical Authentication Bypass Vulnerability
The most severe vulnerability, CVE-2026-23595, scored 8.8 on the CVSS scale and involves an authentication bypass in the application API.
This high-severity flaw allows unauthenticated remote attackers to create privileged user accounts without any authorization.
| CVE ID | Vulnerability Type | CVSS Score | Impact |
|---|---|---|---|
| CVE-2026-23595 | Authentication Bypass in Application API | 8.8 (High) | Unauthorized administrative account creation, privilege escalation |
| CVE-2026-23596 | Improper Access Control in Management API | 6.5 (Medium) | Service disruption, denial of service through forced restarts |
| CVE-2026-23597 | Information Disclosure in API Error Handling | 6.5 (Medium) | Exposure of user accounts, roles, system configuration details |
| CVE-2026-23598 | Information Disclosure in API Error Handling | 6.5 (Medium) | Exposure of internal services, workflows, and sensitive data |
Successful exploitation grants attackers administrative access to modify system configurations, manipulate sensitive data, and potentially gain persistent control over the networking infrastructure.
The attack vector requires adjacent network access but no user interaction, making it particularly dangerous in corporate or industrial environments.
CVE-2026-23596, rated medium severity with a CVSS score of 6.5, enables unauthenticated attackers to trigger service restarts through improper access control in the management API.
This vulnerability could be exploited to disrupt critical networking services and negatively impact system availability, potentially causing operational downtime.
Meanwhile, CVE-2026-23597 and CVE-2026-23598 expose sensitive system information through API error handling flaws.
Attackers can leverage these vulnerabilities to obtain details about user accounts, roles, system configurations, and internal service workflows, increasing the risk of sophisticated multi-stage attacks.
The vulnerabilities exclusively impact HPE Aruba Networking Private 5G Core versions 1.24.3.0, 1.24.3.1, 1.24.3.2, and 1.24.3.3.
Versions 1.24.2.2 and below, as well as version 1.25.1.0 and above, remain unaffected.
HPE strongly recommends that organizations running vulnerable versions immediately upgrade to version 1.25.1.0 or higher to mitigate these security risks.
The patches are available through HPE’s Enterprise License portal at myenterpriselicense.hpe.com.
No workarounds are available for these vulnerabilities, making patching the only effective defense strategy.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
