HPE Aruba Private 5G platform flaw could let attackers steal login credentials
4 min. read 
Published on
HPE has disclosed a high-severity vulnerability in Aruba Networking Private 5G Core On-Prem that could let attackers steal user credentials through a crafted login link. The issue is tracked as CVE-2026-23818 and affects version 1.25.3.0 and earlier, according to HPE’s advisory listing and the Canadian Centre for Cyber Security alert.
The flaw sits in the platform’s graphical user interface and involves an open redirect in the login flow. In practice, an attacker can send a specially crafted URL that redirects a victim to an attacker-controlled page that looks like the legitimate login portal.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
If the victim enters their username and password on that spoofed page, the attacker can capture the credentials and then send the user back to the real login screen. That flow makes the attack harder to notice, especially in environments where users already expect to sign in through web-based management consoles.
Why this issue matters
Private 5G platforms often sit close to sensitive business operations, connected devices, and enterprise traffic. If an attacker captures valid admin or operator credentials, that access can open the door to configuration changes, service disruption, or deeper movement inside the environment. This risk follows directly from the advisory’s warning that stolen credentials can result from successful exploitation.
The vulnerability does not appear to require malware or a complex exploit chain. The attack depends on social engineering and a malicious URL, which means security teams need to treat it as both a software weakness and a phishing risk.
Severity is also notable. The CVE record shows an HPE CNA CVSS v3.1 base score of 8.8, rated High, with a vector that reflects network-based exploitation and required user interaction.
Affected product and key details
The Canadian Centre for Cyber Security says the advisory applies to HPE Aruba Networking Private 5G Core version 1.25.3.0 and prior. It published its alert on April 8, 2026, one day after HPE released the underlying bulletin.
The NVD entry describes the weakness as an open redirect vulnerability in the GUI login flow. It also maps the flaw to CWE-601, which covers URL redirection to an untrusted site.
That matters because open redirects often look harmless at first glance, but they can become highly effective phishing tools when they appear tied to a trusted domain or a familiar sign-in process. In this case, the attacker’s goal is credential capture rather than direct code execution.
CVE-2026-23818 at a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-23818 |
| Product | HPE Aruba Networking Private 5G Core On-Prem |
| Affected versions | 1.25.3.0 and prior |
| Vulnerability type | Open redirect in GUI login flow |
| Main risk | Credential theft through spoofed login page |
| Severity | High |
| CVSS v3.1 score | 8.8 |
| Published | April 7, 2026 |
What organizations should do now
The first step is to apply HPE’s available updates and review bulletin HPESBNW05032. That is the main remediation path referenced by both the CVE record and the Canadian alert.
Security teams should also remind administrators and operators not to trust login links received in email, chat, or tickets without checking the destination carefully. Since this attack relies on user interaction, better URL validation habits can reduce the chance of credential theft. This is an inference based on the attack flow described in the CVE record.
Multi-factor authentication also matters here. It will not remove the bug, but it can reduce the impact of a stolen password if an attacker manages to trick a user into logging into a fake page. That is a standard defensive measure for credential-phishing scenarios like this one.
Defensive priorities
- Patch Aruba Networking Private 5G Core On-Prem systems covered by the bulletin
- Review any external or bookmarked login URLs used by admins
- Warn users about suspicious login prompts and redirected sign-in pages
- Enforce multi-factor authentication for management access
- Monitor for failed logins, unusual redirects, and suspicious account activity
These steps align with the vulnerability description and the likely phishing-style abuse path described in the official record.
FAQ
It is an open redirect vulnerability in the GUI login flow of HPE Aruba Networking Private 5G Core On-Prem that can be abused to redirect users to a fake login page and steal credentials.
The published alert says HPE Aruba Networking Private 5G Core version 1.25.3.0 and prior are affected.
The official description does not mention malware. It describes a crafted URL that redirects an authenticated user to an attacker-controlled spoofed login page.
HPE assigned the issue a CVSS v3.1 score of 8.8, which places it in the High severity range.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages