The vulnerability resides in the packet processing logic of HPE Aruba Wireless Controllers. An authenticated attacker can craft malicious Wi‑Fi frames that the Access Point incorrectly interprets as group‑addressed traffic and re‑encrypts using the victim’s Group Temporal Key (GTK). This flaw enables the attacker to inject traffic that is not bound to a specific BSSID and, when combined with a port‑stealing technique, can redirect the victim’s traffic for Man‑in‑the‑Middle attacks across BSSID boundaries. The weakness is classified as CWE‑300, reflecting a flaw that allows attackers to gain unauthorized access to encrypted traffic.

It affects Hewlett Packard Enterprise Aruba Networking Wireless Operating Systems (AOS‑8 & AOS‑10), including ArubaOS 10.8.0.0 and the associated AP family such as AP‑634, AP‑635, AP‑654, AP‑655, and others enumerated in the Common Platform Enumeration list. Specific version information from the CNA is not provided beyond the ArubaOS 10.8.0.0 baseline, so the vulnerability may impact multiple firmware releases in both AOS‑8 and AOS‑10 lines.

The CVSS base score is 4.3, reflecting a moderate impact, while the EPSS score is below 1 %, indicating a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Because the exploit requires an authenticated attacker, the attack vector is most likely within a trusted network where the attacker has privileged access or credentials to perform wireless frame injection. No publicly available exploit code is known, but the low EPSS suggests limited use in the wild.