A vulnerability in the standardized wireless roaming protocol allows a remote actor to inject a maliciously crafted Group Temporal Key (GTK) onto a client device. Once installed, the attacker can perform unauthorized frame injection, bypass client isolation policies, interfere with cross‑client traffic, and compromise network segmentation integrity and confidentiality. The weakness is a code injection flaw (CWE‑94) that manipulates the GTK handling logic.

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS‑10 & AOS‑8) running on Aruba access points such as the 7010, 7030, 7205, 7210, 7220, 7240xm, 7280, 9004‑LTE, 9004, 9012, 9106, 9114, 9240, AP‑634, AP‑635, AP‑654, and AP‑655. The issue applies to devices and firmware versions listed in the shared CPE mapping and the referenced ArubaOS 10.8.0.0 release.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests the probability of exploitation is low at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is over the roaming protocol via Wi‑Fi, as inferred from the description; a remote actor could inject the crafted GTK without physical access, provided the target network allows roaming firmware updates or GTK re‑announcement. Successful exploitation would give the attacker a foothold sufficient to disrupt traffic isolation and potentially intercept sensitive data.