-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW05026 CVE: CVE-2026-23601, CVE-2026-23808, CVE-2026-23809, CVE-2026-23810, CVE-2026-23811, CVE-2026-23812. Publication Date: 2026-Mar-03 Status: Confirmed Severity: Medium Revision: 1 Title ===== Multiple Vulnerabilities in HPE Aruba Networking Wireless Operating Systems (AOS-8 and AOS-10) for Mobility Conductors, Controllers, Gateways, and Access Points. Overview ======== HPE Aruba Networking has released patches for ArubaOS (AOS-8 and AOS-10) affecting Mobility Conductors, Controllers, Gateways, and Access Points to address identified vulnerabilities in networks with the Client Isolation feature enabled. Affected Products ================= HPE Aruba Networking - Mobility Conductors - Mobility Controllers - Mobility Gateways (Managed by HPE Aruba Networking Central) - AOS-10 Access Points (AOS-AP) - AOS-8 Instant Access Points (AOS-IAP) Affected Software Version(s): - AOS-10.8.x.x: 10.8.0.0 and below - AOS-10.7.x.x: 10.7.2.2 and below - AOS-10.4.x.x: 10.4.1.10 and below - AOS-8.13.x.x: 8.13.1.1 and below - AOS-8.12.x.x: 8.12.0.6 and below - AOS-8.10.x.x: 8.10.0.21 and below The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10.6.x.x: all - AOS-10.5.x.x: all - AOS-10.3.x.x: all - AOS-8.12.x.x: all - AOS-8.11.x.x: all - AOS-8.9.x.x: all - AOS-8.8.x.x: all - AOS-8.7.x.x: all - AOS-8.6.x.x: all - AOS-6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Unaffected Products ================= Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities. Details ======== Frame Injection via Shared GTK Allows Traffic Spoofing and Client Compromise (CVE-2026-23601) - ------------------------------------------------------------------ A vulnerability has been identified in the wireless encryption handling of Wi-Fi transmissions. A malicious actor can generate shared-key authenticated transmissions containing targeted payloads while impersonating the identity of a primary BSSID. Successful exploitation allows for the delivery of tampered data to specific endpoints, bypassing standard cryptographic separation. Internal References: VULN-212 Severity: Medium CVSS v3.1 Base Score: 5.4 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the the following mitigations: - Passpoint SSIDs: enable group-frame-block. Note: There is no workaround for open/captive portal SSIDs. Client Isolation Bypass via GTK Manipulation (CVE-2026-23808) - ------------------------------------------------------------------ A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality. Internal References: VULN-213 Severity: Medium CVSS v3.1 Base Score: 5.4 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the the following mitigations: - Passpoint SSIDs: enable group-frame-block. Note: There is no workaround for open/captive portal SSIDs. MAC Address Spoofing leads to Inter-BSSID Isolation Bypass Resulting in Traffic Redirection (CVE-2026-23809) - ------------------------------------------------------------------ A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation may enable an attacker to redirect and intercept the victim's network traffic, potentially resulting in eavesdropping, session hijacking, or denial of service. Internal References: VULN-215 Severity: Medium CVSS v3.1 Base Score: 5.4 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - To protect clients from this attack by a malicious actor on the same AP, enable Management Frame Protection (MFP, 802.11w) for WPA2-PSK|Enterprise SSIDs. Note: MFP is mandatory for WPA3; therefore, no further action is required for SSIDs with WPA3 encryption enabled. - To protect clients from this attack by a malicious actor on a different AP: - For 802.1X SSIDs on Campus AP AOS-8.X: enable "denylist-sco-attack" in the AAA profile. - For 802.1X SSIDs on AOS-10.X: enable "denylist-sco" and either 802.11r or OKC in the SSID profile. - For 802.1X SSIDs on Instant AP AOS-8.X: enable "denylist-sco" and either 802.11r or OKC in the SSID profile after upgrading to the minimum recommended 8.X version. Note: There is no workaround for open/static PSK/unbound MPSK SSIDs. Cross-BSSID GTK Re-encryption and Traffic Injection (CVE-2026-23810) - ------------------------------------------------------------------ A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addressed traffic and re-encrypt it using the Group Temporal Key (GTK) associated with the victim's BSSID. Successful exploitation may enable GTK-independent traffic injection and, when combined with a port-stealing technique, allows an attacker to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks across BSSID boundaries. Internal References: VULN-214 Severity: Medium CVSS v3.1 Base Score: 4.3 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Ensure "broadcast-filter ARP" (enabled by default) is enabled which will *only* allow ARP/DHCP packets to be sent to clients after converting them to unicast. Unauthorized Bi-Directional Traffic Interception via L2/L3 Manipulation (CVE-2026-23811) - ------------------------------------------------------------------ A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing policy enforcement, successful exploitation - when combined with a port-stealing attack - may enable a bi-directional Machine-in-the-Middle (MitM) attack. Internal References: VULN-216 Severity: Medium CVSS v3.1 Base Score: 4.3 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To reduce exposure to gateway bounce attacks, HPE Aruba Networking recommends enabling "enforce-DHCP" on affected systems to ensure that clients accept network configuration only from authorized DHCP exchanges. Security Boundary Bypass via Routing Node Impersonation (CVE-2026-23812) - ------------------------------------------------------------------ A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique. Successful exploitation enables the redirection of data streams, allowing for the interception or modification of traffic intended for the legitimate network gateway via a Machine-in-the-Middle (MitM) position. Internal References: VULN-219 Severity: Medium CVSS v3.1 Base Score: 4.3 CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: These vulnerabilities were discovered by Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy from University of California, and Mathy Vanhoef from DistriNet, KU Leuven, and reported through the Wi-Fi Alliance. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends applying the following mitigations: - Campus APs (CAP) running AOS-8.X Full Tunnel/D-tunnel - Configure RADSec between controller and RADIUS Server. - APs running AOS-10.x and Instant AOS-8.x Underlay/Overlay - Enable deny-intra-vlan-traffic to prevent MiTM attack. - For overlay network, additionally enable secure GRE. Note: CPsec can mitigate this vulnerability. CPsec is already enforced for Bridge-mode SSID and Remote APs (RAP) running AOS-8.x "split-tunnel only." Resolution ========== Upgrade Mobility Conductors, Controllers, Gateways, and Access Points to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerabilities described in the details section: - AOS-10.8.x.x: 10.8.0.1 and above (Release ETA: First half of March 2026) - AOS-10.7.x.x: 10.7.2.3 and above - AOS-10.4.x.x: 10.4.1.11 and above - AOS-8.13.x.x: 8.13.1.2 and above - AOS-8.12.x.x: 8.12.0.7 and above (Release ETA: Second half of March 2026) - AOS-8.10.x.x: 8.10.0.22 and above (Release ETA: First half of March 2026) Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/globalsearch#tab=Software HPE Aruba Networking does not evaluate or patch AOS-10 and AOS-8 software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home. Exploitation and Public Discussion ================================== HPE Aruba Networking is aware of a publicly disclosed research paper that discusses related techniques with the title of AirSnitch. As of the advisory's release date, HPE Aruba Networking has no evidence that these vulnerabilities are being actively exploited in HPE Aruba Networking Wireless Operating Systems (AOS-10 or AOS-8) or in any other HPE Aruba Networking Products. For additional information, please refer to the link below: https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf. Revision History ================ Revision 1 / 2026-Mar-03 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.hpe.com/support/security-response-policy For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2026 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmmm+6kXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE65CGgv+LX9QS7rh17fQuZaw7tMRr+s3 doPCm0ZYZEqBLjKvL73lIq6JqsjAsYScc9eFsGgWyIEqPD750WeRTWrP47P0L3L2 +zOlqq5HUbhlSHgVLKRZzyIE6siv6nu7cYn7ZS4ZKWxi0PJOeYnBflDFcw1KqVxn Olsm9I1qSZnGzWnb4WHWLBJsNKoENkOUDuuHp1hAYajVk0VKnnyu4xwvF+eH7zIO ORurFNE4UZEB5FQL6pDP/X7ezDhqy1B8XnV+hVcaQfH9pugsL0hx78vI8ptpNsRa TpzKo74WieC9k0gRWOG80Mvene6PNp46TnGVzzWQVEWu4COzp7w0rb+3LNDJZGut hryA5Jpv8eloZBkl5/SBV2EoHDIBcwczoBFM0VvnFzFn/QckAedGc4LNWP1nENxO SxuyM24j7p60lmTyjspUOK3cicgT2nWjUO4G6Fbl8rWZAjAWq3rJgg8sang4BFn8 3285AtytEI5c5h2VhHM0000bDDb4fozLDLOUtKLp =ezBI -----END PGP SIGNATURE-----