Doesn't surprise me a bit.
Legal disclaimer. Some of what I'm going to reference might be illegal and this is for educational purposes only. You are a big boy and pull your own pants up so it's up to you to decide if you are going to follow applicable laws. If you have questions about the legality of some of the things mentioned look the shit up on Google. Some things that are legal in other parts of the world may not be legal where you live.
This does not surprise me at all. When I learned to audit wifi there were only a few types of attacks. But oh, let me count the ways.
WEP replay packets continuously until you have 5000 and reconstruct shit for password.
WPA send deauthentication frame to client and collect 4 way handshake. Run dictionary attack against handshake to recover password. For bonus KEKs build a rainbow table. A precomputed table will continue to work against the same AP after the password has changed. You just need to collect a new handshake. Mitigation change the ESSID (that's the name of your wifi for newfags) because WPA/WPA2 uses that as a salt.
PMK rainbow tables. I think the last time I did this was with GenPMK or Cowpatty or some shit like that.
WPS PIN search. This is really easy to do and it doesn't take long because once you get half of the PIN it will tell you half of it is right and you just crack the other half which is only like 10,000 possibilities. mitigation don't use WPS.
WPS Pixie dust attack. Because some routers use a pseudorandom number generator that isn't very random this attack just sends a single WPS PIN attempt then uses the reply to calculate the WPS PIN. Mitigation: Get a router that isn't a piece of shit.
PMKID attack against WPA/WPA2. Easy mode. Requires tools that don't like to run on Ubuntu or Kali Linux. I've only seen this work in a video but there are tutorials for it. Requires a certain build of hashcat and some other shit. I had compatibility issues when I was trying this.
KRACK Key Reinstallation Attack on WPA/WPA2
How to get free wifi at coffee shop where you only get a 3600 second IP lease and your IP is then banned.
ifconfig wlan0 down && macchanger -r wlan0 && ifconfig wla0 up
Then just login again.
I'm sure by now there are some new attacks that I don't know about. So this vulnerability in WPA3 does not surprise me.
How to mitigate wifi attacks.
Choose a long password with extendend characters like $%^&* in it. More than 10 characters and not something that is in a standard dictionary or is a common chemical name or an encyclopedia entry. Don't use something like your street name, your mothers, maiden name, your first pet or other facebook tier security bullshit like that.
Change you password and you ESSID often. Don't use the stock ESSID like NETGEAR01 becasue chances are there are precomputed rainbow tables for factory ESSIDs for every fucking router you can think of.
Pro tip. Some routers can run on channel 13. Most clients won't scan for it. If you run on channel 13 most people don't even know your router is there unless they are scanning for it. This might not be legal in your jurisdiction. Check local laws before doing shit.