Alta video—1665: SSID Confusion and downgrade protection bypass vulnerabilities in wpa

Alta video—1665: SSID Confusion and downgrade protection bypass vulnerabilities in wpa_supplicant

Release Date

11th of November 2025.

Overview

Two vulnerabilities were discovered in wpa_supplicant.

The first vulnerability is assigned CVE-2023-52424: The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake.

The second vulnerability does not have an assigned CVE: A vulnerability in hostapd implementation of rejected groups information processing for SAE (Simultaneous Authentication of Equals) with hash-to-element (H2E) option was discovered. This allows an attacker to modify SAE commit messages in a manner that can bypass downgrade protection for group negotiation in certain cases. A similar issue in the wpa_supplicant implementation can extend applicability of the issue for additional cases when performing SAE H2E with a vulnerable hostapd implementation.

Affected Products

Avigilon Flex Camera:
- All Stable upgrade Channel versions before 7.8.6.
- All Beta upgrade channel versions before 7.8.0.

Unaffected Products

Alta Video: all versions.
Avigilon Flex Camera:
- All Stable upgrade channel versions after and including 7.8.6.
- All Beta upgrade channel versions after and including 7.8.0.
Alta Video Cloud: all versions.

Resolution

This issue has been fixed in Avigilon Flex camera Beta upgrade channel version 7.8.0 and Stable upgrade channel version 7.8.6.

It is highly recommended that all Avigilon Flex camera installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Alta Video User Interface for Avigilon Flex cameras and the Avigilon Flex Camera Interface for unmanaged cameras.

Vulnerability Information

CVE: CVE-2023-52424
CVSSv3 score: 7.4 (High)
CVSSv3 vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue reported by project maintainers.

Disclosure Timeline

20/07/2024 Issue found
12/04/2018 Root cause established
13/04/2018 Fix identified
04/09/2025 Patched Avigilon Flex Cameras (Beta upgrade channel) released
07/08/2025 Patched Avigilon Flex Cameras (Stable upgrade channel) released
11/11/2025 Vulnerability publicly disclosed