.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Medium
Advisory: AirSnitch Vulnerabilities in Sophos AP6 and APX Series Access Points
CVE(S)
N/A
PRODUCT(S)
Sophos Wireless
Updated
2026 Apr 21
Article Version
1
First Published
2026 Apr 21
Publication ID
sophos-sa-20260421-airsnitch
Workaround
Yes
Overview
AirSnitch is a class of Wi‑Fi client isolation bypass techniques that can allow an attacker on the same SSID to inject, intercept, or relay traffic between clients that are expected to be isolated. It can affect Sophos wireless access points (Sophos AP6 series and Sophos APX series) depending on the specific attack variant, wireless mode, SSID design, and upstream network protections.
AirSnitch has been publicly described in NDSS’26 research and related reporting.
The techniques differ in outcome. Some primarily enable traffic injection, while others enable traffic interception. Full man‑in‑the‑middle (MitM) scenarios typically require chaining an injection technique with an interception technique and/or permissive upstream routing.
- Injection-oriented paths: GTK Abuse, Broadcast Reflection, Gateway Bouncing
- Interception-oriented path: Port Stealing
Sophos AP6 series access points are only vulnerable to injection-oriented paths, making full MitM outcomes impossible with AirSnitch alone.
Customer action is required. There is currently no complete mitigation for this class of attacks and no remediation/fix available at this time. Apply the workarounds and network design protections below, and ensure you implement the specific workarounds relevant to each attack variant present in your environment.
Applies to the following product(s) and version(s)
- Sophos AP6 series (all versions; exposure depends on configuration and attack variant)
- Sophos APX series (all versions; exposure depends on configuration and attack variant)
Remediation
No remediation or fixed version is currently available for this class of attacks.
Workaround
Common mitigations (apply to multiple techniques)
There is currently no complete mitigation for this class of attacks. The mitigations below reduce risk.
- Reduce broadcast exposure
- Enable Proxy ARP (Wireless Settings → SSID → Proxy ARP)
- Stronger segmentation
- Avoid flat networks for untrusted clients
- Use VLAN segmentation and distinct security policies
- Avoid mixing trusted and untrusted clients on the same AP/SSID where feasible
- Enforce IP-layer isolation
- Apply gateway/firewall policy to block client‑to‑client traffic at Layer 3 within the same subnet where possible (including hairpin traffic)
- Switch/gateway anti-spoofing (where supported)
- DHCP Snooping
- IP Source Guard
- Gateway source validation (e.g., uRPF)
Group Temporal Key (GTK) Abuse
Description and impact
An attacker can abuse the group key(s) that are shared between all clients in the same Wi-Fi network (SSID) as per the Wi-Fi specification. The GTK group key can be used to inject packets directly to one or more clients in the Wi-Fi network.
Vulnerability Status
Sophos AP6 and APX series access points are vulnerable when using:
- WPA2-Personal
- WPA3-Personal
- WPA2/WPA3-Personal (mixed mode)
Mitigation and Recommendations
- See “Common mitigations (apply to multiple techniques)” above
- Use WPA2/WPA3-Enterprise (802.1X) with an external RADIUS server instead of shared key authentication modes. This improves access control and reduces unauthorized access but does not eliminate GTK-based attack vectors.
Gateway Bouncing
Description and impact
This technique exploits the gap between Layer 2 (data link) and Layer 3 (network) isolation in Wi-Fi networks.
An attacker sends a crafted frame with:
- Layer 2 (MAC address): Set to the upstream gateway
- Layer 3 (IP address): Set to the victim client
The access point forwards the frame toward the gateway because it appears to be legitimate upstream traffic. The gateway then routes the packet back to the victim, effectively “bouncing” the traffic through itself, which can be used to inject packets directly to one or more clients in the Wi-Fi network.
Vulnerability Status
Both Sophos AP6 and APX series access points are vulnerable.
Mitigation and Recommendations
- See “Common mitigations (apply to multiple techniques)” above
Port Stealing (Downlink and Uplink)
Description
Port stealing exploits how an access point learns and maintains its Layer-2 forwarding table.
An attacker spoofs the MAC address of:
- A victim client (downlink), or
- The network gateway (uplink)
This causes the AP to associate the legitimate MAC address with the attacker’s interface, allowing traffic interception by the attacker.
This can occur both within the same SSID (Intra-WLAN), and across SSIDs on the same AP (Cross-SSID).
Vulnerability Status
Sophos AP6 series access points are not vulnerable.
Sophos APX series access points are vulnerable.
Additional Hardening (AP6 only)
Enable 802.11w (Protected Management Frames) on SSIDs (SSID → Settings → Advanced Settings → Quality of Service → Enable 802.11w). This protects management frames from spoofing and strengthens overall wireless security posture.
Mitigation and Recommendations (APX)
- See “Common mitigations (apply to multiple techniques)” above
- Reduce cross-SSID exposure
- Minimize SSIDs per AP
- Disable unused or redundant SSIDs
- Avoid overlapping trust zones
Broadcast Reflection
Description and impact
Broadcast Reflection is an AirSnitch technique that can bypass Wi‑Fi client isolation by using broadcast (or multicast) delivery as a carrier for targeted traffic. An attacker transmits a specially crafted Wi‑Fi frame that appears to be group-addressed traffic (broadcast/multicast), but contains a unicast IP payload intended for a specific victim client. If the network forwards this frame as group traffic, the victim can receive and process the embedded unicast payload even when direct client‑to‑client communication is expected to be blocked, allowing to inject packets directly to one or more clients in the Wi-Fi network.
Vulnerability Status
Both Sophos AP6 and APX series access points are vulnerable.
Mitigation and Recommendations
- See “Common mitigations (apply to multiple techniques)” above
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.