CVE-2022-37660

6.5 MEDIUM

📋 TL;DR

CVE-2022-37660 is a cryptographic vulnerability in hostapd's PKEX implementation where the PKEX code remains active after successful association. This allows attackers who previously observed PKEX exchanges to passively intercept and subvert future bootstrapping attempts, potentially compromising Wi-Fi security. Affected systems include any device running hostapd 2.10 or earlier for Wi-Fi access point functionality.

💻 Affected Systems

Products:

• hostapd

Versions: 2.10 and earlier

Operating Systems: Linux, Embedded systems using hostapd

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when PKEX (Public Key Exchange) is enabled and used for Wi-Fi security bootstrapping.

📦 What is this software?

Hostapd by W1.fi

View all CVEs affecting Hostapd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can decrypt Wi-Fi communications, perform man-in-the-middle attacks, and compromise network security by subverting PKEX associations.

🟠

Likely Case

Targeted attacks against specific networks where attackers have previously observed PKEX exchanges, leading to compromised Wi-Fi security.

🟢

If Mitigated

Limited impact if PKEX is not used or if networks implement additional security controls like certificate-based authentication.

🌐 Internet-Facing: MEDIUM - Wi-Fi access points are often internet-facing, but exploitation requires specific conditions and previous PKEX observation.

🏢 Internal Only: LOW - Internal Wi-Fi networks are less likely to be targeted by attackers with previous PKEX observation capabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attackers to have previously observed PKEX exchanges and understand cryptographic implementation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in hostapd commit 15af83cf1846870873a011ed4d714732f01cd2e4 and later versions

Vendor Advisory: https://w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4

Restart Required: Yes

Instructions:

1. Update hostapd to version with commit 15af83cf1846870873a011ed4d714732f01cd2e4 or later. 2. Restart hostapd service. 3. Verify PKEX functionality is properly terminated after successful association.

🔧 Temporary Workarounds

Disable PKEX

linux

Disable Public Key Exchange functionality if not required for your deployment

Copy

# Edit hostapd configuration file
# Remove or comment out PKEX-related configuration lines
# Restart hostapd: systemctl restart hostapd

🧯 If You Can't Patch

• Disable PKEX functionality in hostapd configuration
• Implement network segmentation to isolate Wi-Fi networks from critical systems

🔍 How to Verify

Check if Vulnerable:

Copy

Check hostapd version: hostapd -v. If version is 2.10 or earlier and PKEX is enabled, system is vulnerable.

Check Version:

Copy

hostapd -v

Verify Fix Applied:

Copy

Verify hostapd version includes commit 15af83cf1846870873a011ed4d714732f01cd2e4 and test PKEX functionality to ensure proper termination after association.

📡 Detection & Monitoring

Log Indicators:

• Multiple PKEX association attempts
• Unusual PKEX-related errors in hostapd logs

Network Indicators:

• Suspicious PKEX traffic patterns
• Unexpected cryptographic handshake failures

SIEM Query:

Copy

hostapd_logs AND (PKEX OR "public key exchange") AND (error OR failure OR multiple_attempts)

📊 Metadata

CVE ID: CVE-2022-37660

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-323

EPSS Score: 0.2% exploit probability (42.2th percentile)

Published: February 11, 2025

Last Updated: November 3, 2025

🔗 References

• https://link.springer.com/article/10.1007/s10207-025-00988-3 Third Party Advisory
• https://w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4 Patch
• https://lists.debian.org/debian-lts-announce/2025/04/msg00019.html

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37660, you might also want to check these:

CVE-2025-64767 9.1

A race condition in hpke-js's SenderContext Seal() API allows re-use of AEAD nonces across multiple ...

Same vulnerability type (CWE-323)

CVE-2025-47345 8.4

A cryptographic vulnerability in license data encryption could allow attackers to decrypt or manipul...

Same vulnerability type (CWE-323)

CVE-2025-59870 7.4

HCL MyXalytics uses a static JWT signing secret that never rotates, allowing attackers who obtain th...

Same vulnerability type (CWE-323)