CVE-1999-0513 is 27 years old. The mechanism is alive. A 2026 enterprise wireless controller with no uRPF, no directed broadcast filtering, and an ICMP Echo handler that reflects to any source address gives you Smurf amplification from L2 adjacency. This post documents the full chain.
ArubaOS 8.13.2.0 reads 18 bytes past packet boundaries via inflated IP Total Length. TTL=0 packets — which RFC 791 mandates must be destroyed — are processed and replied to, making the attack invisible. 27/27 crafted packets confirmed. Bugcrowd said zeroed bytes mean no vulnerability. CVE-2003-0001 and CVE-2021-3031 were accepted on the identical mechanism.
A 28-year-old vulnerability class — Smurf amplification — alive in an enterprise controller shipping in 2026. Two independent packet captures prove reflection. Bugcrowd called it expected behavior. No fix issued.
ArubaOS 8.13.2.0 exposes an unauthenticated XML parser on port 32000 that resolves external entities, enabling OOB SSRF and internal port scanning. Wire-level pcap + target sshd log confirm server-side execution. Bugcrowd closed it as theoretical. No fix issued.