CVE-2022-47522

HIGH

IEEE 802.11 through 802.11ax - Authentication Bypass by MAC Address Spoofing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-47522. PoCs published by toffeenutt.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-47522, which allows intercepting frames sent to arbitrary clients on a Wi-Fi network by leveraging a vulnerability in the MAC address spoofing mechanism. The exploit involves a deauthentication attack followed by MAC address spoofing to intercept traffic.

Description

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target's MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target's original security context. This behavior occurs because the specifications do not require an access point to purge its transmit queue before removing a client's pairwise encryption key.

Exploits (1)

nomisec WORKING POC

by toffeenutt · poc

https://github.com/toffeenutt/CVE-2022-47522-PoC

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-47522, which allows intercepting frames sent to arbitrary clients on a Wi-Fi network by leveraging a vulnerability in the MAC address spoofing mechanism. The exploit involves a deauthentication attack followed by MAC address spoofing to intercept traffic.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Racy

Target: Wi-Fi networks with MFP disabled

No auth needed

Prerequisites: Two wireless network interfaces (one supporting monitor mode) · Victim and attacker on the same Wi-Fi network with MFP disabled · Physical proximity to the target network

MITRE ATT&CK

T1557 - Adversary-in-the-Middle T1562 - Impair Defenses

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Technical Description, Third Party Advisory

https://papers.mathyvanhoef.com/usenix2023-wifi.pdf

Third Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006

Not Applicable

https://www.wi-fi.org/discover-wi-fi/passpoint

Vendor Advisory

https://www.freebsd.org/security/advisories/FreeBSD-SA-23:11.wifi.asc

Scores

CVSS v3 7.5

EPSS 0.0090

EPSS Percentile 55.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-290

Status published

Products (30)

ieee/ieee_802.11

sonicwall/soho_250_firmware

sonicwall/soho_250w_firmware

sonicwall/sonicwave_224w_firmware

sonicwall/sonicwave_231c_firmware

sonicwall/sonicwave_432o_firmware

sonicwall/sonicwave_621_firmware

sonicwall/sonicwave_641_firmware

sonicwall/sonicwave_681_firmware

sonicwall/tz270_firmware

... and 20 more

Published Apr 15, 2023

Tracked Since Feb 18, 2026