A vulnerability exists in a standardized wireless roaming protocol, allowing a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. This exploitation could enable unauthorized frame injection, bypass client isolation, disrupt cross-client traffic, and compromise network segmentation, integrity, and confidentiality. The vulnerability affects HPE Aruba Networking Wireless Operating Systems AOS-8 and AOS-10, specifically in Mobility Conductors, Controllers, Gateways, and Access Points. Affected AOS-10 versions include 10.8.0.0 and below, 10.7.2.2 and below, and 10.4.1.10 and below. Affected AOS-8 versions include 8.13.1.1 and below, 8.12.0.6 and below, and 8.10.0.21 and below.
Exploitation allows for unauthorized frame injection, bypassing client isolation, interfering with cross-client traffic, and compromising network segmentation, integrity, and confidentiality.
Users are advised to upgrade to AOS-10.8.0.1 and above, AOS-10.7.2.3 and above, AOS-10.4.1.11 and above, AOS-8.13.1.2 and above, AOS-8.12.0.7 and above, or AOS-8.10.0.22 and above. For more information, visit the HPE Networking Support Portal.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
