Researchers Uncover Wi-Fi Vulnerability "AirSnitch" Exploiting Network Stack Weaknesses
A team of researchers from the University of California, Riverside, has identified a critical flaw in Wi-Fi security dubbed AirSnitch, which allows attackers to intercept network traffic even on networks with client isolation enabled. The vulnerability exploits gaps in how Wi-Fi links MAC addresses, encryption keys, and IP addresses across network layers (1, 2, and 3), enabling attackers to impersonate devices and reroute traffic.
Lead researcher Xin’an Zhou warned that AirSnitch "breaks worldwide Wi-Fi encryption" and could facilitate advanced attacks, including cookie theft, DNS poisoning, and cache manipulation, by effectively wiretapping the network. Unlike traditional exploits, AirSnitch does not crack encryption but instead undermines the assumption that encrypted clients are fully isolated from one another.
The attack leverages four primary methods to bypass client isolation:
- Shared Key Abuse – Exploiting the Group Temporal Key (GTK) used in most networks to broadcast malicious packets disguised as legitimate traffic.
- Gateway Bouncing – Sending data to an access point addressed to a gateway MAC, tricking the gateway into forwarding it to the victim.
- MAC Spoofing (Downlink) – Mimicking a victim’s MAC address to intercept their incoming traffic.
- MAC Spoofing (Uplink) – Impersonating backend devices (e.g., gateways) to capture outgoing traffic from a target.
The vulnerability was confirmed across five consumer routers (Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-LINK DIR-3040, TP-Link Archer AXE75, Asus RT-AX57), two open-source firmwares (DD-WRT v3.0-r44715, OpenWrt 24.10), and two university enterprise networks, indicating the flaw is inherent to Wi-Fi architecture rather than specific hardware.
While the attack is complex, researchers emphasize that the findings highlight systemic weaknesses in Wi-Fi security, urging manufacturers and standards bodies to address these flaws in future protocols. The discovery underscores the need for stronger client isolation mechanisms to prevent such exploits.
Tenda TPRM report: https://www.rankiteo.com/company/tenda
TP-Link TPRM report: https://www.rankiteo.com/company/tp-link-corporation
Netgear TPRM report: https://www.rankiteo.com/company/netgear
"id": "tentp-net1772144683",
"linkid": "tenda, tp-link-corporation, netgear",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Consumer Electronics',
'name': 'Netgear Nighthawk x6 R8000',
'type': 'Router'},
{'industry': 'Consumer Electronics',
'name': 'Tenda RX2 Pro',
'type': 'Router'},
{'industry': 'Consumer Electronics',
'name': 'D-LINK DIR-3040',
'type': 'Router'},
{'industry': 'Consumer Electronics',
'name': 'TP-Link Archer AXE75',
'type': 'Router'},
{'industry': 'Consumer Electronics',
'name': 'Asus RT-AX57',
'type': 'Router'},
{'industry': 'Software',
'name': 'DD-WRT v3.0-r44715',
'type': 'Open-Source Firmware'},
{'industry': 'Software',
'name': 'OpenWrt 24.10',
'type': 'Open-Source Firmware'},
{'industry': 'Education',
'name': 'University Enterprise Networks (2 unnamed)',
'type': 'Enterprise Network'}],
'attack_vector': 'Wi-Fi network stack manipulation',
'data_breach': {'data_encryption': 'Bypassed (not cracked)',
'personally_identifiable_information': 'Potential (cookies, '
'session data)',
'sensitivity_of_data': 'High (potential PII, session tokens)',
'type_of_data_compromised': 'Network traffic, cookies, DNS '
'cache'},
'description': 'Researchers from the University of California, Riverside, '
'identified a critical flaw in Wi-Fi security dubbed '
'AirSnitch, which allows attackers to intercept network '
'traffic even on networks with client isolation enabled. The '
'vulnerability exploits gaps in how Wi-Fi links MAC addresses, '
'encryption keys, and IP addresses across network layers (1, '
'2, and 3), enabling attackers to impersonate devices and '
'reroute traffic. The attack undermines Wi-Fi encryption and '
'facilitates advanced attacks like cookie theft, DNS '
'poisoning, and cache manipulation.',
'impact': {'data_compromised': 'Network traffic interception, cookie theft, '
'DNS poisoning, cache manipulation',
'identity_theft_risk': 'High (due to cookie theft and traffic '
'interception)',
'operational_impact': 'Potential unauthorized access to sensitive '
'data and network traffic',
'systems_affected': 'Wi-Fi networks with client isolation enabled'},
'investigation_status': 'Research and disclosure',
'lessons_learned': 'Wi-Fi security assumptions about client isolation and '
'encryption are flawed. Systemic weaknesses in Wi-Fi '
'architecture require protocol-level fixes.',
'post_incident_analysis': {'corrective_actions': 'Protocol updates, stronger '
'client isolation, and '
'manufacturer patches.',
'root_causes': 'Gaps in how Wi-Fi links MAC '
'addresses, encryption keys, and IP '
'addresses across network layers. '
'Weaknesses in client isolation '
'mechanisms.'},
'recommendations': 'Manufacturers and standards bodies should address client '
'isolation gaps and strengthen Wi-Fi protocols to prevent '
'such exploits.',
'references': [{'source': 'University of California, Riverside Research '
'Team'}],
'response': {'remediation_measures': 'Stronger client isolation mechanisms, '
'protocol updates by manufacturers and '
'standards bodies'},
'title': 'AirSnitch: Wi-Fi Vulnerability Exploiting Network Stack Weaknesses',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'AirSnitch (exploits gaps in MAC address, '
'encryption key, and IP address linking across '
'network layers)'}