HPE Access Points, GTK Re-encryption Bypass, CVE-2026-23810 (Medium)

Listen to this Post

A vulnerability exists in the packet processing logic of certain HPE Access Points. An authenticated attacker can craft and transmit a malicious Wi-Fi frame. This frame causes the AP to misclassify it as group-addressed traffic. Consequently, the AP re-encrypts the frame using the Group Temporal Key (GTK) of the victim’s BSSID. This allows the attacker to inject traffic that appears legitimate, bypassing standard per-station encryption. When combined with a port-stealing technique, the attacker can redirect intercepted traffic. This effectively places them in a machine-in-the-middle (MitM) position. The attack can span across different BSSID boundaries, breaking network segmentation. The root cause is improper handling of frame classification before encryption. This leads to the use of a shared key (GTK) instead of a unique session key. The attack requires the attacker to be within Wi-Fi range and authenticated to the network. It does not require user interaction, increasing its practical risk. While the confidentiality impact is low, it paves the way for further attacks.

dailycve form:

Platform: HPE Access Points
Version: Various ArubaOS
Vulnerability: GTK Re-encryption Bypass
Severity: Medium (4.3)
Date: March 4, 2026

Prediction: 30 days

What Undercode Say:

Analytics:

CVE-2026-23810 targets the fundamental 802.11 encryption separation between unicast (PTK) and group (GTK) traffic. By forcing the AP to use the GTK for frames directed to a specific station, it breaks the confidentiality normally provided by the pairwise key. The CVSS vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates a low complexity attack from adjacent network with no privileges required.

Exploit:

Attacker Script Concept (Conceptual - Requires 'airmon-ng' and 'mdk4' or custom frame injection)
1. Identify target network and client.
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
2. Capture a valid data frame from the target client to extract necessary information (like BSSID, MAC).
Let target BSSID = AA:BB:CC:DD:EE:FF, Client MAC = 11:22:33:44:55:66
3. Craft a malicious frame using a packet crafting tool (Scapy example below).
The goal is to set frame control flags to mimic a group-addressed frame while keeping the individual destination address.
4. Inject the frame.
sudo mdk4 wlan0mon p -t AA:BB:CC:DD:EE:FF -c 1 -f crafted_frame.pcap
Python/Scapy snippet to craft the malicious frame:
from scapy.all import
radiotap = RadioTap()
dot11 = Dot11(addr1="11:22:33:44:55:66", addr2="AA:BB:CC:DD:EE:FF", addr3="AA:BB:CC:DD:EE:FF")
dot11.FCfield = 0x20 Set the 'To DS' bit (example flag, actual malicious flags may vary)
The core of the attack is manipulating classification bits so the AP treats this unicast frame as group-addressed.
frame = radiotap / dot11 / LLC() / SNAP() / Raw(load='malicious_payload')
wrpcap('malicious_frame.pcap', frame)

Protection from this CVE:

1. Apply firmware patch from HPE/Aruba.
Check current version:
show version
2. Download and install the update from the official support site.
Example for ArubaOS (commands vary by model):
copy tftp://192.168.1.100/ArubaOS_Update_X.X.X.X.swi flash:
boot system flash:/ArubaOS_Update_X.X.X.X.swi
3. Mitigation: Enable client isolation features if network design permits.
configure terminal
wlan ssid-profile "Corporate_SSID"
client-isolation
end
4. Monitor for anomalous traffic patterns, specifically large volumes of re-encrypted group-addressed traffic.
(Requires a WIDS/WIPS)

Impact:

Successful exploitation allows an attacker to inject arbitrary packets encrypted with the GTK. This bypasses the per-station encryption, enabling packet injection and, when combined with port stealing, a full machine-in-the-middle attack. This can lead to session hijacking, data interception, and traffic manipulation, undermining the security of the entire BSSID. The attacker does not need the GTK itself, only the ability to trigger its misuse by the AP.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top