<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>HPE Aruba - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/hpe-aruba/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/hpe-aruba/feed.xml" rel="self" type="application/rss+xml"/><item><title>HPE Aruba Networking Private 5G Core On-Prem Open Redirect Vulnerability (CVE-2026-23818)</title><link>https://feed.craftedsignal.io/briefs/2024-01-hpe-aruba-redirect/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-hpe-aruba-redirect/</guid><description>CVE-2026-23818 is an open redirect vulnerability in the HPE Aruba Networking Private 5G Core On-Prem GUI that enables attackers to redirect authenticated users to attacker-controlled login pages to steal credentials.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-23818, has been discovered in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem. This open redirect vulnerability resides within the login flow and allows an attacker to craft a malicious URL that, when accessed by an authenticated user, redirects them to a spoofed login page. The attacker hosts this spoofed page to mimic the legitimate Aruba login, prompting the user to enter their credentials. This attack is particularly dangerous because the user, after submitting their credentials on the fake page, may be redirected to the real login page, making the attack less obvious. This vulnerability impacts the security of the HPE Aruba Networking Private 5G Core On-Prem systems by potentially allowing unauthorized access through stolen credentials.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious URL containing a redirect to an attacker-controlled server. This URL exploits the open redirect vulnerability (CVE-2026-23818) in the HPE Aruba Networking Private 5G Core On-Prem login flow.</li>
<li>The attacker distributes the crafted URL to potential victims, possibly through phishing emails or other social engineering methods.</li>
<li>The victim, an authenticated user of the HPE Aruba Networking Private 5G Core On-Prem system, clicks on the malicious URL.</li>
<li>The Aruba Networking Private 5G Core On-Prem GUI processes the crafted URL and redirects the victim's browser to the attacker-controlled server.</li>
<li>The attacker-controlled server hosts a spoofed login page that mimics the legitimate Aruba Networking Private 5G Core On-Prem login interface.</li>
<li>The victim, believing the spoofed page is genuine, enters their username and password.</li>
<li>The attacker captures the victim's credentials from the spoofed login page.</li>
<li>The attacker redirects the victim to the legitimate Aruba Networking Private 5G Core On-Prem login page, potentially masking the malicious activity. The attacker now possesses valid credentials for the Aruba system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-23818 can lead to the compromise of user accounts on HPE Aruba Networking Private 5G Core On-Prem systems. This allows an attacker to gain unauthorized access to the system's administrative functions and sensitive data. The impact could range from data breaches and service disruption to complete system takeover, depending on the privileges of the compromised account. The vulnerability poses a significant risk to organizations relying on HPE Aruba Networking Private 5G Core On-Prem for network management and security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch or upgrade provided by HPE to remediate CVE-2026-23818 on all affected Aruba Networking Private 5G Core On-Prem systems.</li>
<li>Implement web server access logging and deploy the provided Sigma rule <code>Detect Aruba Open Redirect Attempt</code> to identify attempts to exploit the open redirect vulnerability in real-time.</li>
<li>Monitor web server logs for unusual URL patterns and redirects originating from the Aruba Networking Private 5G Core On-Prem GUI, as indicated by the <code>webserver</code> log source in the provided Sigma rules.</li>
<li>Educate users about the dangers of clicking on suspicious links and the importance of verifying the legitimacy of login pages to mitigate phishing risks (T1566).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aruba</category><category>open-redirect</category><category>credential-theft</category><category>cve-2026-23818</category><category>network</category></item></channel></rss>