Unauthenticated API flaw exposes core network control — full administrative takeover possible from adjacent network access
Authentication Bypass Leading to Administrative Account Creation
CVE ID: CVE-2026-23595
Affected Product: HPE Aruba Networking Private 5G Core
Vulnerability Type: Authentication Bypass
Impact: Unauthorized Administrative Account Creation
CVSS v3.1 Base Score: 8.8 (High)
Attack Vector: Adjacent Network
Privileges Required: None
User Interaction: None
Severity: High
Exploit Complexity: Low
Exploit Availability: No widely trusted public exploit kit observed as of this writing; exploitation is technically straightforward
An authentication control weakness has been identified in the management/application API of HPE Aruba Networking Private 5G Core. Due to insufficient authentication validation on specific API endpoints, it may be possible for an unauthenticated attacker with network adjacency to create a new administrative account.
Once administrative access is obtained, full control of the Private 5G Core environment may be achieved, including configuration changes, subscriber data manipulation, service disruption, and persistent access establishment.
Affected Versions
HPE Aruba Networking Private 5G Core versions within the 1.24.3.x release train (prior to the vendor-patched build) are impacted.
Organizations should verify their deployed version immediately.
Technical Details
The vulnerability exists within API request handling logic associated with user or role provisioning endpoints. Authentication validation is improperly enforced before account creation logic is executed.
Under certain conditions, a crafted HTTP POST request directed at the management API allows creation of a user object with elevated privileges without presenting valid credentials or session tokens.
The issue stems from:
- Missing authentication guard on user creation endpoint
- Inadequate server-side privilege validation
- Trust in client-supplied role parameters
- Lack of mandatory session verification before privileged operations
Because the vulnerability requires only adjacent network access and no prior authentication, it presents a high operational risk in environments where the management interface is reachable from shared internal networks, partner networks, or poorly segmented infrastructure.
Exploitation Scenario
A practical exploitation chain may involve the following sequence:
- Network reconnaissance identifies exposed Private 5G Core management API.
- Attacker submits crafted POST request to user creation endpoint.
- Request includes elevated role attributes (e.g., administrative privileges).
- Server processes request without enforcing authentication.
- Administrative account is created successfully.
- Attacker logs in or reuses issued session token.
- Persistent privileged access is established.
Once administrative access is obtained, the following actions may be performed:
- Creation of additional backdoor accounts
- Modification of SIM/subscriber configurations
- Core routing or policy manipulation
- Service disruption
- Extraction of configuration backups
- Disabling of logging or monitoring
Educational Proof-of-Concept
The following example illustrates the general structure of a malicious request. This is provided strictly for educational validation and defensive detection testing.
POST /api/users HTTP/1.1
Host: target-device
Content-Type: application/json
{
"username": "test_admin",
"password": "TempPass123!",
"role": "admin",
"isAdmin": true
}
If the vulnerability is present, the server may respond with HTTP 200 or 201, indicating successful account creation without authentication.
Note: Exact endpoint paths may vary by deployment and configuration.
Indicators of Compromise
The following behaviors may indicate exploitation:
- Unexpected administrative accounts appearing in user listings
- Account creation events without corresponding authenticated session
- API POST requests to account endpoints from unfamiliar IP addresses
- Administrative logins originating from non-management subnets
- Configuration changes outside approved maintenance windows
- Privilege escalation events without audit trail
Log Sources for Detection
The following telemetry sources should be monitored:
- Application API logs
- Authentication and authorization audit logs
- Reverse proxy / load balancer logs
- Firewall logs
- NetFlow or network telemetry
- System security logs
- SIEM correlation alerts
Logs should be centralized and retained externally from the appliance to prevent tampering.
Detection Queries
Splunk Detection Query
index=network OR index=web
(method=POST)
(uri_path="/api/user*" OR uri_path="/api/admin*" OR uri_path="/api/account*")
| eval suspicious_body=if(like(_raw,"%\"role\":\"admin\"%") OR like(_raw,"%\"isAdmin\":true%"),1,0)
| where suspicious_body=1
| table _time, src_ip, user_agent, uri_path, status, _raw
Splunk – Unauthorized Account Creation Without Session
index=app_logs
("user created" OR "account created")
| search NOT "authenticated user"
| table _time, src_ip, created_username, request_id
Elastic / KQL Detection
http.request.method : "POST" and
(http.request.uri.path : "/api/user*" or
http.request.uri.path : "/api/admin*" or
http.request.uri.path : "/api/account*")
and
(http.request.body : "*\"role\":\"admin\"*" or
http.request.body : "*\"isAdmin\":true*")
Elastic – Suspicious Admin Login After Account Creation
event.action : "user_created"
| join on user.name
(event.action : "login_success" and user.role : "admin")
Suricata IDS Rule
alert http any any -> $HOME_NET any
(msg:"Possible HPE Aruba Private5G Admin Account Creation Attempt";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/api/";
http.client_body; content:"role\":\"admin\"";
nocase;
sid:202623595;
rev:1;)
This rule should be tuned to reduce false positives before enforcement.
Mitre ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1136 – Create Account
- T1078 – Valid Accounts
- T1098 – Account Manipulation
Risk Assessment
Because no authentication is required and exploitation complexity is low, environments with insufficient network segmentation are particularly exposed.
Although no mass exploitation campaigns have been publicly confirmed at this time, the vulnerability is considered operationally exploitable. The attack does not require user interaction, making it suitable for automated scanning and exploitation if discovered by threat actors.
Mitigation and Hardening
Immediate remediation steps:
- Upgrade to vendor-patched version.
- Restrict management API access to dedicated management VLAN.
- Enforce firewall ACLs limiting access to trusted hosts.
- Enable multi-factor authentication where supported.
- Audit and remove unauthorized accounts.
- Rotate administrative credentials.
- Increase logging verbosity temporarily.
- Export and securely archive logs for retrospective analysis.
Official Patch / Upgrade Link
HPE Official Advisory and Software Update:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US
Only vendor-provided software updates should be applied.
Incident Response Recommendations
If exploitation is suspected:
- Immediately isolate affected node from management network
- Capture memory and logs before reboot
- Export user database for review
- Identify timeline of account creation
- Reset all privileged credentials
- Validate system integrity
- Review outbound traffic for data exfiltration
Persistent access mechanisms should be investigated, as attackers with admin control may implant additional access methods.
Conclusion
CVE-2026-23595 represents a high-impact authentication bypass within a critical 5G core infrastructure component. Administrative account creation without authentication effectively grants full control over the environment.
Given the relatively low complexity of exploitation and the potential operational impact, remediation should be treated as urgent. Immediate patching and verification of administrative account integrity are strongly advised.
