CVE-2026-23809 MEDIUM

CVE-2026-23809: MAC Address Spoofing leads to Inter-BSSID Isolation Bypass Resulting in Traffic Redirection

Vendor Hewlett Packard Enterprise (Hpe)
Product HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)
Published March 4, 2026
Last update April 1, 2026

CVSS base score

5.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation may enable an attacker to redirect and intercept the victim's network traffic, potentially resulting in eavesdropping, session hijacking, or denial of service.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
April 1, 2026 Record updated