{ "document": { "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "Medium" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "summary", "text": "Hewlett Packard Enterprise (HPE) Aruba Networking has released patches for ArubaOS (AOS-8 and AOS-10) to address vulnerabilities affecting Mobility Conductors, Controllers, Gateways, and Access Points when the Client Isolation feature is enabled.", "title": "Summary" }, { "category": "general", "text": "HPE Aruba Networking Mobility Conductors Mobility Controllers Mobility Gateways (Managed by HPE Aruba Networking Central) AOS-10 Access Points (AOS-AP) AOS-8 Instant Access Points (AOS-IAP) Affected Software Version(s): AOS-10.8.x.x: 10.8.0.0 and below AOS-10.7.x.x: 10.7.2.2 and below AOS-10.4.x.x: 10.4.1.10 and below AOS-8.13.x.x: 8.13.1.1 and below AOS-8.12.x.x: 8.12.0.6 and below AOS-8.10.x.x: 8.10.0.21 and below. The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: AOS-10.6.x.x: all AOS-10.5.x.x: all AOS-10.3.x.x: all AOS-8.12.x.x: all AOS-8.11.x.x: all AOS-8.9.x.x: all AOS-8.8.x.x: all AOS-8.7.x.x: all AOS-8.6.x.x: all AOS-6.5.4.x: all SD-WAN 8.7.0.0-2.3.0.x: all SD-WAN 8.6.0.4-2.2.x.x: all.", "title": "Affected Products" }, { "category": "general", "text": "Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities.", "title": "Unaffected Products" }, { "category": "other", "text": "HPE Aruba Networking is aware of a publicly disclosed research paper that discusses related techniques with the title of AirSnitch. As of the advisory's release date, HPE Aruba Networking has no evidence that these vulnerabilities are being actively exploited in HPE Aruba Networking Wireless Operating Systems (AOS-10 or AOS-8) or in any other HPE Aruba Networking Products.", "title": "Exploitation and Public Discussion" }, { "category": "general", "text": "Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home .", "title": "Workaround" }, { "category": "general", "text": "Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at:\nhttps://www.hpe.com/support/security-response-policy\n\nFor reporting NEW HPE Aruba Networking security issues, email can be sent to hpe-networking-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:\nhttps://www.hpe.com/info/psrt-pgp-key", "title": "HPE Aruba Networking SIRT Security Procedures" }, { "category": "legal_disclaimer", "text": "(c) Copyright 2026 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date of the advisory, provided that the redistributed copies are complete and unmodified, including all data and version information.", "title": "Legal Disclaimer" } ], "publisher": { "category": "vendor", "contact_details": "Email: hpe-networking-sirt@hpe.com - For further details please see https://www.hpe.com/support/security-response-policy", "issuing_authority": "HPE Aruba Networking's Security Incident Response Team (SIRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in HPE Aruba Networking products. The HPE Aruba Networking SIRT actively works with industry, non-profit, government organizations, and the security community when vulnerabilities are reported.", "name": "HPE Networking", "namespace": "https://www.hpe.com/support/security-response-policy" }, "references": [ { "summary": "Original Advisory", "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05026en_us&docLocale=en_US" }, { "summary": "HPE Aruba Networking Security Advisory Archive", "url": "https://csaf.arubanetworking.hpe.com/" }, { "summary": "HPE Aruba Networking Product Security Incident Response Policy", "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us" } ], "title": "Multiple Vulnerabilities in HPE Aruba Networking Wireless Operating Systems (AOS-8 and AOS-10) for Mobility Conductors, Controllers, Gateways, and Access Points.", "tracking": { "current_release_date": "2026-03-03T18:00:00.000Z", "generator": { "date": "2026-03-03T22:45:01.556Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "HPESBNW05026", "initial_release_date": "2026-03-03T18:00:00.000Z", "revision_history": [ { "date": "2026-03-03T18:00:00.000Z", "number": "1", "summary": "Initial release" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "AOS-10.8.x", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": "AOS-10.8.0.1" } }, { "category": "product_version_range", "name": "vers:semver/>=10.8.0.0|<=10.8.0.0", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": ">=10.8.0.0|<=10.8.0.0" } }, { "category": "product_version", "name": "AOS-10.7.x", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": "AOS-10.7.2.3" } }, { "category": "product_version_range", "name": "vers:semver/>=10.7.0.0|<=10.7.2.2", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": ">=10.7.0.0|<=10.7.2.2" } }, { "category": "product_version", "name": "AOS-10.4.x", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": "AOS-10.4.1.11" } }, { "category": "product_version_range", "name": "vers:semver/>=10.4.0.0|<=10.4.1.10", "product": { "name": "HPE Aruba Networking Operating System AOS-10", "product_id": ">=10.4.0.0|<=10.4.1.10" } }, { "category": "product_version", "name": "AOS-8.13.x", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": "AOS-8.13.1.2" } }, { "category": "product_version_range", "name": "vers:semver/>=8.13.0.0|<=10.13.1.1", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": ">=8.13.0.0|<=10.13.1.1" } }, { "category": "product_version", "name": "AOS-8.12.x", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": "AOS-8.12.0.7" } }, { "category": "product_version_range", "name": "vers:semver/>=8.12.0.0|<=10.12.0.6", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": ">=8.12.0.0|<=10.12.0.6" } }, { "category": "product_version", "name": "AOS-8.10.x", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": "AOS-8.10.0.22" } }, { "category": "product_version_range", "name": "vers:semver/>=8.10.0.0|<=10.13.0.21", "product": { "name": "HPE Aruba Networking Operating System AOS-8", "product_id": ">=8.10.0.0|<=10.13.0.21" } } ], "category": "product_name", "name": "ArubaOS (AOS)" } ], "category": "vendor", "name": "HPE Aruba Networking" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23601", "notes": [ { "category": "details", "text": "A vulnerability has been identified in the wireless encryption handling of Wi-Fi transmissions. A malicious actor can generate shared-key authenticated transmissions containing targeted payloads while impersonating the identity of a primary BSSID.Successful exploitation allows for the delivery of tampered data to specific endpoints, bypassing standard cryptographic separation.", "title": "Details" }, { "category": "other", "text": "VULN-212", "title": "Internal Reference" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Passpoint SSIDs: enable group-frame-block. \nNote: There is no workaround for open/captive portal SSIDs.", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "Frame Injection via Shared GTK Allows Traffic Spoofing and Client Compromise" }, { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23808", "notes": [ { "category": "details", "text": "A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality.", "title": "Details" }, { "category": "other", "text": "VULN-213", "title": "Internal Reference" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Passpoint SSIDs: enable group-frame-block. \nNote: There is no workaround for open/captive portal SSIDs.", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "Client Isolation Bypass via GTK Manipulation" }, { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23809", "notes": [ { "category": "details", "text": "A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation may enable an attacker to redirect and intercept the victim's network traffic, potentially resulting in eavesdropping, session hijacking, or denial of service.", "title": "Details" }, { "category": "other", "text": "VULN-215" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations:\n\n - To protect clients from this attack by a malicious actor on the \n same AP, enable Management Frame Protection (MFP, 802.11w) \n for WPA2-PSK|Enterprise SSIDs. \n\n Note: MFP is mandatory for WPA3; therefore, no further action \n is required for SSIDs with WPA3 encryption enabled.\n\n - To protect clients from this attack by a malicious actor on a \n different AP:\n\n - For 802.1X SSIDs on Campus AP AOS-8.X: enable \n \"denylist-sco-attack\" in the AAA profile.\n - For 802.1X SSIDs on AOS-10.X: enable \"denylist-sco\" and either \n 802.11r or OKC in the SSID profile.\n - For 802.1X SSIDs on Instant AP AOS-8.X: enable \"denylist-sco\" \n and either 802.11r or OKC in the SSID profile after upgrading \n to the minimum recommended 8.X version. \n \n Note: There is no workaround for open/static PSK/unbound MPSK SSIDs.", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "MAC Address Spoofing leads to Inter-BSSID Isolation Bypass Resulting in Traffic Redirection" }, { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23810", "notes": [ { "category": "details", "text": "A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addressed traffic and re-encrypt it using the Group Temporal Key (GTK) associated with the victim's BSSID. Successful exploitation may enable GTK-independent traffic injection and, when combined with a port-stealing technique, allows an attacker to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks across BSSID boundaries.", "title": "Details" }, { "category": "other", "text": "VULN-214", "title": "Internal Reference" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Ensure \"broadcast-filter ARP\" (enabled by default) is enabled which will *only* allow ARP/DHCP packets to be sent to clients after converting them to unicast.", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 4.3, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 4.3, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "Cross-BSSID GTK Re-encryption and Traffic Injection" }, { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23811", "notes": [ { "category": "details", "text": "A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing policy enforcement, successful exploitation - when combined with a port-stealing attack - may enable a bi-directional Machine-in-the-Middle (MitM) attack.", "title": "Details" }, { "category": "other", "text": "VULN-216", "title": "Internal Reference" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To reduce exposure to gateway bounce attacks, HPE Aruba Networking recommends enabling \"enforce-DHCP\" on affected systems to ensure that clients accept network configuration only from authorized DHCP exchanges. ", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 4.3, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 4.3, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "Unauthorized Bi-Directional Traffic Interception via L2/L3 Manipulation" }, { "acknowledgments": [ { "names": [ "Xin'an Zhou", "Juefei Pu", "Zhutian Liu", "Zhiyun Qian", "Zhaowei Tan", "Srikanth V. Krishnamurthy" ], "organization": "University of California" }, { "names": [ "Mathy Vanhoef" ], "organization": "DistriNet, KU Leuven" } ], "cve": "CVE-2026-23812", "notes": [ { "category": "details", "text": "A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique. Successful exploitation enables the redirection of data streams, allowing for the interception or modification of traffic intended for the legitimate network gateway via a Machine-in-the-Middle (MitM) position.", "title": "Details" }, { "category": "other", "text": "VULN-219", "title": "Internal Reference" } ], "product_status": { "fixed": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "known_affected": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] }, "references": [ { "category": "external", "summary": "Please refer to the URL below.", "url": "https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-03-03T17:00:00.000Z", "details": "Upgrade Mobility Conductors, Controllers, Gateways, and Access \nPoints to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026); - AOS-10.7.x.x: 10.7.2.3 and above; - AOS-10.4.x.x: 10.4.1.11 and above; - AOS-8.13.x.x: 8.13.1.2 and above; - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026); - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026).\n\nSoftware versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software\n\nHPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw.", "product_ids": [ "AOS-10.8.0.1", "AOS-10.7.2.3", "AOS-10.4.1.11", "AOS-8.13.1.2", "AOS-8.12.0.7", "AOS-8.10.0.22" ], "url": "https://networkingsupport.hpe.com/globalsearch#tab=Software" }, { "category": "workaround", "date": "2026-03-03T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Campus APs (CAP) running AOS-8.X Full Tunnel/D-tunnel - Configure RADSec between controller and RADIUS Server. - APs running AOS-10.x and Instant AOS-8.x Underlay/Overlay; - Enable deny-intra-vlan-traffic to prevent MiTM attack; - For overlay network, additionally enable secure GRE. Note: CPsec can mitigate this vulnerability. CPsec is already enforced for Bridge-mode SSID and Remote APs (RAP) running AOS-8.x \"split-tunnel only.\"", "product_ids": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 4.3, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 4.3, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ ">=10.8.0.0|<=10.8.0.0", ">=10.7.0.0|<=10.7.2.2", ">=10.4.0.0|<=10.4.1.10", ">=8.13.0.0|<=10.13.1.1", ">=8.12.0.0|<=10.12.0.6", ">=8.10.0.0|<=10.13.0.21" ] } ], "title": "Security Boundary Bypass via Routing Node Impersonation" } ] }