AOS-10 AP Command Injection: CVE-2026-23823 Exposes Networks
The National Vulnerability Database has disclosed CVE-2026-23823, a high-severity command injection vulnerability impacting Access Points running AOS-10. This flaw, rated 7.2 CVSS, allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system via the command-line interface. This isn’t just a theoretical risk; successful exploitation means an attacker gains deep control over your network infrastructure.
Crucially, this vulnerability specifically targets AOS-10.7.x.x and above. Organizations still running AOS-10.4 AP or AOS-8 Instant software branches are not affected, according to the National Vulnerability Database. This narrow scope is a double-edged sword: it simplifies patching for some, but for others, it means a critical patch is required for their latest hardware deployments.
Attackers will prioritize these devices. Gaining root on an access point provides a strategic beachhead into the internal network, enabling lateral movement, traffic sniffing, and potential for further compromise. This isn’t about defacing a webpage; it’s about owning the network’s on-ramp. CISOs need to treat this as an immediate threat to their network perimeter.
What This Means For You
- If your organization uses Access Points running AOS-10.7.x.x or above, you are exposed. Prioritize patching or implementing compensating controls immediately. Audit your AP logs for any unusual CLI access or command execution. Assume compromise until proven otherwise.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-23823 - AOS-10 AP Command Injection via CLI
title: CVE-2026-23823 - AOS-10 AP Command Injection via CLI
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects the execution of shell commands on AOS-10 Access Points that are indicative of command injection attempts, specifically targeting CVE-2026-23823. This rule looks for common shell interpreters and command separators often used in injection payloads.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-23823/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|contains:
- '/bin/sh'
- '/bin/bash'
CommandLine|contains:
- '&&'
- ';'
- '|'
- '$()'
- '`'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-23823 | Command Injection | Access Points running AOS-10 |
| CVE-2026-23823 | Command Injection | Access Points running AOS-10.7.x.x and above |
| CVE-2026-23823 | Command Injection | Command Line Interface (CLI) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal
CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...
CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access
CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...
ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...